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ABSTRACT 


This  paper  describes  a  theorem  prover  that  embodies  knowledge  about 
programming  constructs,  such  as  numbers,  arrays,  lists,  and  expressions. 
The  program  can  reason  about  these  concepts  and  is  used  as  part  of  a  pro¬ 
gram  verification  system  that  uses  the  Floyd— Naur  explication  of  program 
semantics.  It  is  implemented  in  the  QA4  language;  the  QA4  system  allows 
many  pieces  of  strategic  knowledge,  each  expressed  as  a  small  program, 
to  be  coordinated  so  that  a  program  stands  forward  when  it  is  relevant  to 
the  problem  at  hand .  The  language  allows  clear,  concise  representation 
of  this  sort  of  knowledge.  The  QA4  system  also  has  special  facilities 
for  dealing  with  commutative  functions,  ordering  relations,  and  equiva¬ 
lence  relations;  these  features  are  heavily  used  in  this  deductive 
system.  The  program  interrogates  the  user  -and  asks  his  advice  in  the 
course  of  a  proof.  Verifications  have  been  found  for  Hoare ’ s  FIND 
program,  a  real-number  division  algorithm,  and  some  sort  programs,  as 
well  as  for  many  simpler  algorithms.  Additional  theorems  have  been 
proved  about  a  pattern  matcher  and  a  version  of  Robinson's  unification 
algorithm.  The  appendix  contains  a  complete,  annotated  listing  of  the 
deductive  system  and  annotated  traces  of  several  of  the  deductions  per¬ 
formed  by  the  system. 
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Problems  worthy 
of  attack 
Prove  their  worth 
by  hitting  back. 

Piet  Hein 

I  INTRODUCTION  AND  BACKGROUND 


This  paper  describes  a  computer  program  that  proves  theorems  about 
programs.  Proving  theorems  about  programs  is  of  practical  importance  be¬ 
cause  it  helps  certify  that  they  are  correct.  Instead  of  testing  a  pro¬ 
gram  on  test  cases,  which  may  allow  some  bugs  to  remain,  we  can  try  to 
prove  mathematically  that  it  behaves  as  we  expect .  We  hope  future  sys¬ 
tems  that  reason  about  programs  and  understand  how  they  work  will  help  us 
to  write  and  change  programs . 

Many  programs  have  done  this  sort  of  reasoning.  James  King  [19691* 
developed  a  program  verifier  that  could  prove  theorems  about  programs; 
his  program  proved  an  interesting  class  of  theorems  and  was  very  fast. 
Peter  Deutsch  [1973]  has  recently  written  a  system  for  interactive  pro¬ 
gram  writing  that  can  also  prove  things  about  programs.  It  is  perhaps  not 
as  fast  as  King's  system,  but  it  can  prove  more  interesting  theorems. 

S.  Igarashi,  R.  London,  and  D.  Luckham  [19731  have  recently  applied  a 
resolution  theorem  prover  to  program  verification,  and  their  results  are 
impressive  also.  They  can  verify  such  programs  as  Hoare's  [1961]  FIND. 
Their  system  does  little  actual  resolution  and  a  lot  of  simplification 
and  reasoning  about  equality.  A  program  devised  by  Boyer  and  Moore  [19731 
can  prove  difficult  theorems  about  LISP  programs. 

Thus,  there  is  no  shortage  of  interesting  work  related  to  our  own. 

The  special  characteristic  of  our  own  system  is  that  it  is  markedly 
concise,  readable,  and  easy  to  change  and  apply  to  new  subject  areas. 

♦References  are  listed  alphabetically  at  the  end  of  the  paper. 
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Our  program  verifier  consists  of  a  theorem  prover  (or  deductive  sys¬ 
tem)  and  a  "verification  condition  generator."  The  verification  condi¬ 
tion  takes  an  annotated  program  as  input  and  constructs  a  list  of 
theorems  as  output .  The  truth  of  the  constructed  theorems  implies  the 
correctness  of  the  program.  The  task  of  the  deductive  system  is  to 
prove  these  theorems.  The  verification  condition  generator  ("Elspas  et  al., 
1973]  is  written  in  BBN-LISP  [Teitelman  et  al.,  1971],  and  the  deductive 
system  is  written  in  QA4  [Rulifson  et  al.,  1972].  This  paper  focuses  on 
the  deductive  system  but,  to  be  complete,  gives  examples  of  verification 
condition  generation  as  well. 

In  writing  our  deductive  system,  we  were  motivated  by  several  goals  . 
First,  the  system  should  be  able  to  find  proofs;  it  should  have  enough 
deductive  power  to  prove,  within  a  comfortable  time  and  space,  the 
theorems  being  considered  .  Also,  these  proofs  should  be  at  the  level  of 
an  Informal  demonstration  in  a  mathematical  textbook.  This  means  that 
the  difficulty  in  following  one  line  to  the  next  in  any  proof  should  be 
small  enough  that  the  proof  is  understandable,  yet  large  enough  not  to  be 
trivial.  In  any  practical  program  verifier,  the  user  will  wish  to  fol¬ 
low  the  steps  in  a  deduction.  Who  would  believe  a  program  verifier  that 
only  printed  out  "true"  in  the  course  of  pursuing  a  proof?  Furthermore, 
the  strategies  the  system  uses  in  searching  for  a  proof  should  be  strate¬ 
gies  that  we  find  natural.  Not  only  should  the  tactics  that  eventually 
lead  to  the  proof  be  ones  we  might  use  in  proving  the  statement  by  hand, 
but  also  the  false  starts  the  system  makes  should  be  ones  we  might  make 
ourselves.  We  do  not  want  the  system  to  rely  on  blind  search;  the  trace 
of  an  attempted  solution  should  make  interesting  reading. 

In  addition  to  the  requirement  that  proofs  be  readable,  the  rules 
the  system  uses  in  going  from  one  line  to  the  next  should  be  easy  to 
read  and  understand.  We  should  be  able  to  look  at  a  rule  and  see  what 
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it  does.  Also,  It  should  be  easy  to  change  old  rules  and  to  add  new  rules. 
The  user  of  a  program  verifier  is  likely  to  introduce  new  concepts,  such 
as  operators  or  data  structures.  We  want  to  be  able  to  tell  the  deductive 
system  how  these  structures  behave  and  to  have  the  system  reason 
effectively  using  the  new  symbols.  Giving  the  system  new  information 
should  be  possible  without  knowing  how  the  system  works,  and  certainly 
without  reprogramming  the  system.  Furthermore,  the  addition  of  new  in¬ 
formation  should  not  prohibitively  degrade  the  performance  of  the  system. 

The  system  is  intended  to  evolve  with  use.  As  we  apply  the  system 
to  new  problems,  we  are  forced  to  give  the  system  new  information  and, 
perhaps,  to  generalize  some  old  information.  These  changes  are  incorpo¬ 
rated  into  the  system,  which  may  then  be  better  able  to  solve  new  problems  . 

Since  the  system  is  easy  to  extend  and  generalize,  we  do  not  worry 
about  the  completeness  or  generality  of  any  particular  version  of  the 
system.  It  is  powerful  enough  to  solve  the  sort  of  problem  on  which  it 
has  been  trained,  and  it  can  be  easily  changed  when  necessary. 

These  considerations  played  a  part  in  the  design  of  the  programming 
system  called  QA4,  as  well  as  in  the  construction  of  our  deductive  system, 
which  is  written  in  the  QA4  language.  Some  of  the  techniques  described 
below  are  embedded  in  the  QA4  system  itself;  others  are  expressed  as  parts 
of  the  deductive  system. 


II  THE  FLOYD-NAUR  i\ffiTHOD 


Perhaps  not  all  readers  are  familiar  with  the  method  of  proving 
statements  about  programs  that  we  have  followed  in  our  work.  Our  method 
is  a  natural  technique  introduced  Independently  by  Floyd  [19671  and 
Naur  [1966^  and  formalized  by  Hoare  [1969],  Knuth  [1968]  traces  the  germ 
of  the  idea  back  to  von  Neumann  and  Goldstine  [1963]  in  the  paper  that 
introduced  the  concept  of  the  flow  chart .  Although  we  cannot  give  a  thor¬ 
ough  introduction  to  that  subject  here,  we  provide  below  an  example  of 
its  application  to  convey  the  flavor  of  the  approach; 

Consider  a  simple  program  that  exchanges  the  values  of  two  variables: 


TA-740522-3 
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We  assume  that  before  the  program  is  executed,  X  and  Y  have  some  initial 
values  and  .  Suppose  we  want  to  prove  that  after  the  program  is 
executed,  X  =  Y^  and  Y  =  X^.  We  offer  these  input  and  output  assertions 
as  comments  in  our  program: 


START 


A 


. ;  X  =  x„ 

A  Y  =  Y„  • 

. : 

f  : . 

0  • 

TA- 740  52  2-4 


These  assertions  are  not  to  be  executed  by  the  program  in  any  way,  but 
they  tell  us  something  about  the  way  the  programmer  expects  his  program 
to  behave.  He  expects  the  assertion  at  A  to  be  true  when  control  passes 
through  A,  and  the  assertion  at  D  to  be  true  when  control  passes  through 
D. 


The  essence  of  the  Floyd-Naur  approach  is  to  generate  from  a  com¬ 
mented  program  like  the  one  above  a  set  of  statements  called  the  verifica¬ 
tion  conditions.  If  these  statements  are  true,  then  the  assertions  the 
programmer  has  put  in  his  program  are  correct.  Whereas  the  programmer's 
assertions  are  correct  only  when  control  passes  through  the  appropriate 
point,  the  verification  conditions  are  true  in  general,  and  they  can  be 
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proved  by  a  deductive  system  that  knows  nothing  about  sequential  proces¬ 
sing,  loops,  recursion,  or  other  concepts  about  the  flow  of  control  and 
nothing  else  about  the  particular  program. 

To  generate  the  verification  condition  for  our  sample  program,  we 

pass  the  output  assertion  back  toward  the  input  assertion.  As  we 

pass  it  back,  we  change  it  to  reflect  the  changing  state  of  the  system. 

In  particular,  if  any  assignments  are  made  within  the  program,  then  the 

corresponding  substitution  should  be  made  in  the  assertion.  Passing  the 

assignment  at  D  back  to  point  C  changes  it  to  X  =  Y  and  T  =  X  : 

0  0 


TA-740S22-5 


We  can  argue  that  if  the  assertion  at  C  is  true  when  control  passes  through 
C,  then  the  assertion  at  D  will  be  true  when  control  passes  through  D, 

In  particular,  if  T  =  X  is  true  at  C,  and  we  execute  Y  *-  T,  then  Y  =  X 
will  be  true  at  D . 
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Passing  the  assertion  all  the  way  back  to  A  in  this  manner  gives 

the  assertion  Y=:Y  A  X  -  X  .  If  this  assertion  is  true  at  A,  then  the 

0  0 

final  assertion  will  be  true  at  D.  However,  we  are  already  given  the 

initial  assertion  X  =  X  A  Y  =  Y  .  The  truth  of  the  assertion  at  D  then 

0  0 

depends  on  the  truth  of  the  implication  X=X  aY=Y  Z)Y=Y  aX=X. 

0  0  0  0 

This  statement  is  the  verification  condition  for  this  program.  It  can 
be  proved  by  a  deductive  system  independently  of  any  knowledge  about  this 
program. 

Constructing  verification  conditions  by  this  method  is  an  algorithmic 
process,  not  a  heuristic  one.  Although  the  design  of  a  language  for  ex¬ 
pressing  assertions  remains  an  important  and  challenging  problem  (we 
introduce  below  some  constructs  for  such  a  language),  it  is  not  a  problem 
in  the  artificial  intelligence  domain.  On  the  other  hand,  there  is  no  cut 
and  dried  algorithm  for  proving  verification  conditions,  and  this  is  thus 
a  fit  subject  for  artificial  intelligence  research.  Although  we  have  no 
general  algorithm  for  proving  verification  conditions,  this  somewhat  re¬ 
stricted  domain  is  more  tractable  than  the  general  theorem-proving  problem. 


8 


Ill  A  PROGRAM  THAT  FINDS  THE  LARGEST  ELEMENT  OF  AN  ARRAY 


Before  we  explain  how  the  system  is  structured  or  implemented,  let 
us  first  look  at  a  sample  of  some  deductions  performed  by  our  system. 

This  example  will  give  a  better  idea  of  the  subject  domain  of  the  in¬ 
ference  system  and  of  the  sort  of  reasoning  we  have  to  do.  It  will  also 
give  a  better  picture  of  the  process  of  generating  a  verification  condi¬ 
tion  (Floyd  [1967])  , 

Suppose  we  are  given  the  annotated  program  shown  in  Figure  1  to 
compute  the  largest  element  in  an  array  and  its  location.  This  program 
searches  through  the  array,  keeping  track  of  the  largest  element  it  has 
seen  so  far  and  the  location  of  this  element.  The  intermediate  assertion 
at  C*  says  that  MAX  is  the  largest  element  in  the  array  between  0  and  I 
and  that  LOG  is  the  index  for  MAX.  Although  our  assertion  language  does 
not  permit  the  ellipsis  notation  we  have  introduced  some  suita¬ 

ble  analogues,  which  are  discussed  later. 

To  prove  assertions  about  a  complex  program,  the  system  decomposes 
it  into  simple  paths.  This  program  can  be  decomposed  into  four  simple 
paths : 

•  The  path  from  B  to  C . 

•  The  path  from  C  to  D. 

•  The  path  from  C  around  the  loop  and  back  to  C  through 
point  E . 

•  The  path  from  C  around  the  loop  and  back  to  C  through 
point  F, 

*In  this  program,  and  in  examples  throughout  the  paper,  when  we  list  se¬ 
veral  statements  in  an  assertion,  we  mean  the  implicit  conjunction  of 
those  statements.  We  will  often  also  refer  to  each  conjunct  as  an 
assertion . 
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TA-740522-8 


FIGURE  1  FINDING  THE  MAXIMUM  OF  AN  ARRAY 
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Notice  that  the  author  of  this  program  has  put  assertions  not  only 
at  the  START  and  HALT  nodes  of  the  program,  but  also  at  the  intermediate 
point  C.  He  has  done  this  so  that  the  proof  of  the  program  can  be  reduced 
to  proving  straight-line  paths  in  the  same  way  that  the  simple  program 
of  the  previous  section  was  verified  .  For  instance,  the  path  that  begins 
at  C,  travels  around  the  loop  through  E,  and  returns  to  C  can  be  regarded 
as  a  simple,  straight-line  program  with  the  assertion  at  C  as  both  its 
start  assertion  and  its  halt  assertion.  The  assertion  at  C  has  been 
cleverly  chosen  to  be  true  when  the  loop  is  entered,  to  remain  true 
whenever  control  travels  around  the  loop  and  returns  to  C,  and  to  be 
strong  enough  to  allow  the  assertion  at  D  to  be  proved  when  control  leaves 
the  loop  and  the  program  halts .  (The  choice  of  suitable  internal  assertions 
can  be  an  intellectually  exacting  task;  some  heuristic  methods  have  been 
proposed  that  will  work  in  this  and  many  other  examples  (Elspas  et  al. 
ri972],  Wegbreit  [1973],  Katz  and  Manna  [1973]). 

If  all  the  straight-line  paths  of  the  program  are  shown  to  be  cor¬ 
rectly  described  by  the  given  assertions,  and  if  the  program  can  be 
shown  to  terminate  (this  must  be  done  separately),  then  we  can  conclude 
that  the  program  is  indeed  correct,  at  least  with  respect  to  the  pro¬ 
grammer's  final  assertion. 

Although  there  are  many  paths  in  the  decomposition  of  a  program, 
typically  most  of  the  paths  are  easy  to  verify.  For  this  program,  we 
examine  two  of  the  paths . 

First,  suppose  we  want  to  demonstrate  that  if  the  assertion  at  point 
C  is  true  when  control  passes  through  C,  then  the  assertion  at  C  will 
still  be  true  if  control  passes  around  the  loop  and  returns  again  to  C. 

IVe  will  restrict  our  attention  to  the  more  interesting  case,  in  which 
the  test  MAX  <  A[I]?  is  true;  in  this  case,  control  passes  through  E. 
Furthermore,  we  will  try  to  prove  only  that  the  second  conjunct  of  the 


11 


assertion  at  C  remains  true.  Our  verification . condition  generator  gives 
us  the  following  statement  to  prove: 


MAX  =  AfLOCn  A 

(1) 

A[01  ^  MAX,  ...,  Afl]  MAX  A 

(2) 

0  ^  LOC  s  I  <  N  A 

(3) 

(N  <  I+l)  A 

(4) 

MAX  <  A[I+1]  Z3 

(5) 

AfOl  S  Afl+l],  A[l+1]  S  A[I+1]  . 

(6) 

This  statement  is  actually  represented  as  five  separate  hypotheses  and  a 
goal  to  be  deduced  from  these  hypotheses.  Lines  (1)  through  (3)  come 
from  the  assertion  at  C,  and  lines  (4)  and  (5)  come  from  the  tests  along 
the  path.  Line  (6)  comes  from  the  assertion  at  C  again.  How  the  above 
statement  is  derived  from  the  program  is  shown  in  detail  in  Appendix  C. 

The  behavior  of  the  deductive  system  in  this  problem  is  typical  of 
its  approach  to  many  problems.  The  goal,  (6),  is  broken  into  two  sub¬ 
goals  : 

A[01  ^  A[I+1]  A  ...  A[I]  S  A[I+11  (7) 

and 

A[I+1]  £  A[I+11  .  (8) 

The  second  subgoal,  (8),  is  immediately  seen  to  be  true.  The  first 
subgoal,  (7),  is  easily  derived  from  (2)  and  (5), 

Now  let  us  look  at  the  path  from  C  to  D.  VVe  will  assume  the  assertion 
at  C  is  true  and  will  prove  the  assertion  at  D .  We  will  look  at  the  first 
conjunct  of  the  assertion  at  D.  Our  verification  condition  generator  gives 
us  the  following  statement  to  prove: 

MAX  =  A[L0C1  A 

AfO]  s  MAX  A  ...  A  A[I1  g  MAX  A 
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(9) 

(10) 


0  £  LOG  S  I  <  N  A 


(11) 

(12) 

(13) 


N  <  I  +  l  z) 

A[01  S  max  a  ...  a  AfNT  5  MAX 

The  reasoning  required  for  this  proof  is  a  little  more  subtle  than  the 
previous  deduction.  When  the  system  learns  that  N  <  I+l  (12),  it  imme¬ 
diately  concludes  that  N+1  ^  I+l,  since  N  and  I  are  integers.  It  further 
deduces  that  N  ^  I.  Since  it  already  knows  that  I  ^  N  (11),  it  concludes 
that  N=  I.  Using  hypothesis  (10),  the  system  reduces  the  goal  (13)  to 
proving  that  I  =  N,  which  it  now  knows . 

This  deduction  involves  a  lot  of  reasoning  forward  from  assumptions 
and  not  much  reasoning  backward  from  goals .  Both  of  these  proofs  are 
typical  of  the  behavior  of  the  system  at  large  because  of  their  strong 
use  of  the  properties  of  equality  and  the  ordering  relations. 

The  QA4  system  incorporates  enough  of  the  common  techniques  of  theo¬ 
rem  proving  and  problem  solving  that  our  inference  system  needs  no 
general  problem-solving  knowledge,  but  only  some  knowledge  about  numbers, 
arrays,  and  other  structures.  The  following  sections  show  how  the  QA4 
language  allows  that  knowledge  to  be  represented. 
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IV  THE  QA4  LANGUAGE 


A,  Pattern  Matching  and  the  Goal  Mechanism 

The  deductive  system  is  made  up  of  many  rules  expressed  as  small 
functions  or  programs.  Each  of  these  programs  knows  one. fact  and  the 
use  for  that  fact.  The  QA4  programming  language  is  designed  so  that  all 
these  programs  can  be  coordinated;  when  a  problem  is  presented  to  the 
system,  the  functions  that  are  relevant  to  the  problem  "stand  forward" 
in  the  sense  explained  below. 

A  program  has  the  form 

(LAMBDA  (pattern ) (body )) 

Part  of  the  knowledge  of  what  the  program  can  be  used  for  is  expressed 
in  the  pattern.  When  a  function  is  applied  to  an  argument,  the  pattern 
is  matched  against  that  argument.  If  the  argument  turns  out  to  be  an 
instance  of  the  pattern,  the  match  is  said  to  be  successful .  The  un¬ 
bound  variables  in  the  pattern  are  then  bound  to  the  appropriate  sube.x- 
pressions  of  the  argument,  and  the  body  of  the  program  is  evaluated  with 
respect  to  those  new  bindings. 

For  example,  the  program 

REVTUP  =  (LAMBDA  (TUPLE  *-Y)  (TUPLE  $¥  $X)) 

has  pattern  (TUPLE  «-X  •-¥)  and  body  (TUPLE  ?Y  $X)  .  The  prefix  means 
that  the  variable  is  to  be  given  a  new  binding.  The  prefix  "5"  means 
that  the  variable's  old  binding  is  to  be  used.  When  REVTUP. is  applied 
to  (TUPLE  A  B),  the  pattern  (TUPLE  •-X  <-Y)  is  matched  against  (TUPLE  A  B)  . 
The  match  is  seen  to  be  successful,  the  variable  X  to  be  bound  to  A  and 
the  variable  Y  to  be  bound  to  B.  The  body  (TUPLE  $Y  $X)  is  evaluated 
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with  respect  to  these  bindings,  giving  (TUPLE  B  A) . 


On  the  other  hand,  if  a  function  is  applied  to  an  argument  and  the 

I 

pattern  of  that  function  does  not  match  the  argument,  a  condition  known 
as  failure  occurs.  At  many  points  in  the  execution  of  a  program,  the 
system  makes  an  arbitrary  choice  between  alternatives.  Failure  initiates 
a  backing  up  to  the  most  recent  choice  and  the  selection  of  another  al¬ 
ternative.  The  mismatching  of  patterns  is  only  one  of  the  ways  in  which 
failure  can  occur  in  a  program. 

We  have  yet  to  explain  how  a  program  stands  forward  when  it  is  re¬ 
levant.  In  the  above  example,  the  function  was  called  by  name,  much  as 
it  is  in  a  conventional  programming  language.  But  it  is  also  possible 
to  make  an  argument  available  to  any  applicable  program  in  a  specified 
class.  This  is  done  by  means  of  the  goal  mechanism. 

When  we  say  (GOAL  (goalclass ) (argument )) ,  we  assume  that  the  goal 
class  is  a  tuple  of  names  of  functions.  We  are  making  that  argument  avail 
able  to  the  entire  class  of  functions.  The  pattern  of  each  of  those  func¬ 
tions  is  matched  in  turn  against  the  argument.  If  the  match  is  successful 
the  function  is  applied  to  that  argument.  If  the  function  returns  a  value 
that  value  is  returned  9s  the  value  of  the  goal  statement.  On  the  other 
hand,  if  a  failure  occurs  in  evaluating  the  function,  backtracking  occurs, 
the  next  function  in  the  goal  class  is  tried,  and  the  process  is  repeated. 
If  none  of  the  functions  in  the  goal  class  succeed,  the  entire  goal  state¬ 
ment  fails. 

For  example,  in  our  deductive  system,  one  of  the  goal  classes  is 
called  EQRULES,  the  rules  used  for  proving  equalities.  One  of  these  rules 
is 

EQTIMESDIVIDE  =  (LAMBDA  (EQ  -VI  (TIMES  (DIVIDE  -X  -Y)  -Z)) 

(GOAL  SEQRULES 

(EQ  (TIMES  $Y  $W) (TIMES  $X  $2)))) 
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This  rule  states  that  to  prove  W  =  (X/Y)*Z,  we  should  try  to  prove  Y*W  = 
X*Z.  (The  actual  EQTIMESDIVIDE,  shown  in  Appendix  A,  is  more  general 
than  this.)  The  rule  has  the  pattern 

(EQ  <-W  (TIMES  (DIVIDES  -Y)  *-Z)) 

If  we  execute  (GOAL  $EQRULES  (EQ  A  (TIMES  (DIVIDES  B  C)  D) ) )  [i.e.,  we 
want  to  prove  A  =  (B/C)+D],  the  system  will  try  all  the  applicable  EQRULES 
in  turn.  If  none  of  the  previous  rules  succeed,  the  system  will  eventually 
reach  EQTIMESDIVIDE.  It  will  find  that  the  pattern  of  EQTIMESDIVIDE 
matches  this  argument,  binding  lY  to  A,  X  to  B,  Y  to  C,  and  Z  to  D .  Then 
it  will  evaluate  the  body  of  this  function;  i.e.,  it  will  try 

(GOAL  $EQRULES  (EQ  (TIMES  A  C)  (TIMES  B  D) ) ) 

If  it  fails  to  prove  (EQ  (TIMES  A  C) (TIMES  B  D) ) ,  it  will  try  to  apply 
the  remaining  EQRULES  to  the  original  argument,  (EQ  A  (TIMES  (DIVIDES  B  C) 
D) ) .  The  goal  statement  is  an  example  of  the  pattern-directed  function 
invocation  introduced  by  Hewitt  in  PLANNER  [19711. 

The  net  effect  of  this  mechanism  is  that  it  enables  the  user  to 
write  his  programs  in  terms  of  what  he  wants  done,  without  needing  to 
specify  how  he  wants  to  do  it.  Furthermore,  at  any  point,  he  can  add 
new  rules  to  EQRULES  or  any  other  goal  class,  thus  increasing  the  power 
of  the  system  with  little  effort. 

B .  Some  Sample  Rules 

The  deductive  system  is  a  collection  of  rules  represented  as  small 
programs.  One  rule  was  given  in  the  preceding  section;  two  more  rules 
are  presented  here.  The  complete  deductive  system  is  included  in  Appen¬ 
dix  A. 

The  first  rule,  EQSIMP,  attempts  to  prove  an  equality  by  simplifying 
its  arguments: 
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EQSIMP  =  (LAMBDA  (EQ  -X  ^Y) 

(PROG  (DECLARE) 

(SETQ  -X  ($SIMPOI«:  ?X)) 

(GOAL  $EQRULES  (EQ  $X  $Y) ) ) 

,  BACKTRACK) 

This  rule  says  that  to  prove  terms  A  and  B  are  equal,  simplify  A  and  then 
prove  that  the  simplified  A  is  equal  to  B.  This  rule,  a  member  of  EQRULES, 
has  the  pattern  (EQ  <-X  •-Y)  .  SIMPOtlE,  the  simplifier,  will  fail  if  its 
argument  cannot  be  simplified.  In  that  case,  EQSIMP  will  also  fail. 

EQSIMP  can  actually  simplify  the  right  side  of  an  equality,  as  well  as 
the  left,  as  explained  in  the  Appendix  A. 

The  second  rule  is 

FSUBTRACTI  =  (LAMBDA  (^F  (SUBTRACT  ^X  -Y)  .-Z) 

(GOAL  $ INEQUALITIES 

($F  $X  (PLUS  $Y  $Z)))) 

This  rule  says  that  to  prove  X-Y  £  Z,  try  to  prove  X  S  Y+Z .  It  belongs 
to  the  goal  class  INEQUALITIES  and  is  thus  used  not  only  for  the  predicate 
LTQ,  but  also  for  LT,  GT,  and  GTQ.  The  variable  F  is  bound  to  the  ap¬ 
propriate  predicate  symbol. 

C.  Demons 

The  goal  mechanism  is  used  for  reasoning  backward  from  a  goal.  How¬ 
ever,  sometimes  we  want  to  reason  forward  from  a  statement.  For  example, 
suppose  that  whenever  an  assertion  of  the  form  X  >  Y  is  asserted,  we  want 
to  assert  Y  s  X  as  well.  We  do  this  by  a  QA4  mechanism  known  as  the  demon. 

A  demon  is  imagined  to  be  a  spirit  that  inhabits  a  hiding  place, 
waiting  until  some  specified  event  occurs,  at  which  time  it  appears,  per¬ 
forms  some  action,  and  vanishes  again.  We  have  put  several  demons  in  the 
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system,  each  watching  for  a  different  condition.  For  instance,  one  demon 
watches  for  statements  of  the  form  X  2  Y  and  makes  the  statement  Y  £  X. 

The  user  of  the  system  can  create  his  own  demons .  Demons  are  a  tool  for 
reasoning  forward  from  an  antecedent.  In  particular,  we  use  demons  to 
drive  antecedents  into  a  canonical  form.  For  example,  we  drive  all  ine¬ 
quality  expressions  with  integer  arguments  into  an  assertion  of  the  form 
X  £  Y. 

D .  Representations 

To  as  great  an  extent  as  possible,  we  have  chosen  representations 
that  model  the  semantics  of  the  concepts  we  use  so  as  to  make  our  deduc¬ 
tions  shorter  and  easier.  For  example,  our  language  has  data  structures 
expecially  intended  to  eliminate  the  need  for  certain  inferences .  In 
addition  to  tuples,  which  are  like  the  familiar  lists  of  the  list-proces¬ 
sing  languages,  we  have  the  finite  sets  of  conventional  mathematics  and 
bags,  which  are  unordered  tuples  or,  equivalently,  sets  that  may  have 
multiple  occurrences  of  the  same  element.  (Bags  are  called  multisets 
by  Knuth  ["IBeBI,  who  outlines  many  of  their  properties.)  Furthermore, 
we  allow  arbitrary  expressions  to  have  property  lists  in  the  same  way 
that  atoms  can  have  property  lists  in  LISP  [McCarthy  et  al , ,  1962]. 

These  data  structures  are  useful  in  the  modeling  of  equivalence  re¬ 
lations,  ordering  relations,  and  arithmetic  functions .  For  instance,  if 
the  addition  of  numbers  and  the  multiplication  of  numbers  are  each  re¬ 
represented  by  a  function  of  two  arguments,  then  it  becomes  necessary  to 
use  numerous  applications  of  the  commutative  and  associative  laws  to 
prove  anything  about  the  number  system.  However,  in  QA4  all  functions 
take  only  one  argument,  but  this  argument  can  be  a  tuple,  set,  or  bag, 
as  well  as  any  other  expression.  Functions  of  multiple  arguments  can  be 
represented  by  a  function  defined  on  tuples.  However,  a  function  that 
is  commutative  and  associative,  such  as  PLUS,  is  defined  on  bags.  The 
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expression  (PLUS  A  2  B)  really  means  (PLUS  (BAG  A  2  B) ) .  Recall  that  bags 
are  unordered;  the  system  cannot  distinguish  between  (BAG  A  2  B)  and 
(BAG  2  A  B) .  Consequently,  the  expressions  (PLUS  A  2  B)  and  (PLUS  2  A  B) 
are  identically  equal  in  our  system.  This  makes  the  commutative  law 
for  addition  redundant  and,  in  fact,  inexpressible  in  the  language.  Most 
needs  for  the  associative  law  are  also  avoided. 

The  logical  function  AND  has  the  property  that,  for  instance, 

(AND  A  A  B)  =  (AND  A  B) .  The  number  of  occurrences  of  an  argument  does 
not  affect  its  value.  Consequently,  AND  takes  a  set  as  its  argument. 

Since  (SET  A  A  B)  and  (SET  A  B)  are  indistinguishable,  (AND  A  A  B)  and 
(AND  A  B)  are  identical,  and  a  statement  of  their  equality  is  unnecessary. 
Some  functions  that  take  sets  as  arguments  are  AND,  OR,  EQ,  and  GCD 
(greatest  common  divisor) . 

\Vhen  a  new  fact  is  asserted  to  our  system,  the  value  TRUE  is  placed 
on  the  property  list  of  that  fact.  If  at  some  later  time  we  want  to 
know  if  that  fact  is  true,  we  simply  look  on  its  property  list. 

However,  certain  facts  are  given  special  handling  in  addition.  For 
example,  if  we  tell  the  system  that  certain  expressions  are  equal,  we  form 
a  set  of  those  expressions.  On  the  property  list  of  each  expression,  we 
place  a  pointer  to  that  set.  For  instance,  if  we  assert  (EQ  ABC),  the 
system  stores  the  following: 


(SET  ABC) 

TA-740522-6 
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If  we  subsequently  discover  any  of  these  expressions  to  be  equal  to  still 
another  expression,  the  system  adds  the  new  expression  to  the  previously 
formed  set  and  puts  the  set  on  the  property  list  of  the  new  expression 
as  well.  For  instance,  if  we  assert  (EQ  B  D) ,  our  structure  is  changed 
to  the  following: 


A  B  C  D 


TA-740522-7 


The  transitivity,  symmetry,  and  reflexivity  of  equality  are  thus  impli¬ 
cit  in  our  representation.  If  we  ask  whether  A  and  D  are  equal,  the  sys¬ 
tem  knows  immediately  by  looking  at  the  property  list  of  A  or  D. 

Ordering  relations  are  stored  using  the  property  list  mechanism. 

If  we  know  that  some  expression  A  is  less  than  B,  we  place  a  pointer  to 
B  on  the  property  list  of  A: 


If  we  learn  that  B  is  less  than  C,  we  put  a  pointer  to  C  on  the  property 
list  of  B: 


If  we  then  ask  the  system  if  A  is  less  than  C,  it  will  search  along  the 
pointers  in  the  appropriate  way  to  answer  affirmatively.  The  transitive 
law  is  built  into  this  representation. 

The  system  knows  about  LT  (<),  GT  (>),  LTQ  (^g),  GTQ  (s),  EQ  (  =  ), 

NEQ  (^) ,  and  how  these  relations  interact.  For  example,  if  we  assert 
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X  :&  Y,  Y  >  Z,  and  X  ^  Z,  the  system  will  know  X  =  Y  =  Z  and  that  (F  X  A) 
=  (F  Y  A)  .  Or  if  we  assert  X  >  Y  and  X  Y,  the  system  will  know  X  >  Y. 


E .  Contexts 

When  we  are  trying  to  prove  an  implication  of  the  form  A  Z)  B,  it  is 
natural  to  want  to  prove  B  under  the  hypothesis  that  A  is  true.  Our  as¬ 
sumption  of  the  truth  of  A  holds  only  as  long  as  we  are  trying  to  prove 
B;  after  the  proof  of  B  is  complete,  we  want  to  forget  that  we  have  as¬ 
sumed  A.  For  this  and  other  reasons,  the  QA4  language  contains  a  context 
mechanism.  All  assertions  are  made  with  respect  to  a  context,  either 
implicitly  or  explicitly.  For  any  context,  we  can  create  an  arbitrary 
number  of  lower  contexts  . 


A  query  made  with  respect  to  a  context  will  have  access  to  all  asser¬ 
tions  made  with  respect  to  higher  contexts  but  not  to  any  assertions  made 
with  respect  to  any  other  contexts.  For  instance,  suppose  we  are  trying 
to  prove  i<jz)i+l^j  with  respect  to  some  context  C^.  We  may  have 
already  made  some  assertions  in  Context  .  We  establish  a  lower  context, 
C^,  and  assert  i  <  J  with  respect  to  .  Then  we  try  to  prove  i  +  1  ^  j 
with  respect  to  .  When  proving  i  +  1  ^  j,  we  know  i  <  j,  as  well  as  all 
the  assertions  we  knew  previously  in  C^.  When  the  proof  of  B  is  complete, 
we  may  have  other  statements  to  prove  in  C^.  In  doing  these  proofs,  we 
will  know  all  the  assertions  in  and  also,  perhaps  the  assertion  i  <  j 
ID  i  +  1  s  j,  buy  we  will  not  know  i  <  j  because  it  was  asserted  with 
respect  to  a  lower  context . 


F .  User  Interaction 

Sometimes  our  rules  ask  us  whether  they  should  continue  or  fail. 
This  allows  us  to  cut  off  lines  of  reasoning  that  we  know  in  advance  to 
be  fruitless .  If  we  make  a  mistake  in  answering  the  question,  we  may 
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cause  the  system  to  fail  when  it  could  have  succeeded.  However,  we 
never  cause  the  system  to  find  a  false  or  erroneous  proof. 

In  addition  to  these  mechanisms,  which  are  built  into  the  language 
processor,  we  have  developed  some  notations  that  make  it  easier  to  dis¬ 
cuss  programming  constructs;  these  notations  are  a  part  of  our  assertion 
language  and  are  interpreted  by  the  deductive  system. 
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V  NOTATIONS 


In  speaking  about  the  program  to  find  the  maximum  element  of  an  ar¬ 
ray,  we  found  it  convenient  to  use  the  ellipsis  notation  We 

have  not  introduced  this  notation  into  our  language;  however,  we  have 
found  ways  of  getting  around  its  absence. 


A.  TUPA,  SETA,  BAGA 

Let  A  be  a  one-dimensional  array  and  I  and  J  be  integers  .  Then 
(TUPA  A  I  J)  is  the  tuple 

(TUPLE  A[  I],  A[I+1],  A[J]) 

If  I  >  J,  then  (TUPA  A  I  J)  is  the  empty  tuple. 

(SETA  A  I  J)  and  (BAGA  A  I  J)  are  the  corresponding  bag  and  set.  To 
state  that  an  array  is  sorted  between  0  and  N,  we  assert 

(LTQ  (TUPA  AON)) 


To  state  that  an  array  A  is  the  same  in  contents  between  0  and  N  as  the 
initial  array  A^,  although  these  contents  may  have  been  permuted,  we  as¬ 
sert 


(EQ  (BAGA  AON)  (BAGA  A  ON)) 

0 


B .  The  STRIP  Operator 

Let  X  be  a  set  or  bag,  X  =  (SET  X,  X),  orX=  (BAG  X  ,  . . .,  X  ) , 

In  In 

Then  (LTQ  (STRIP  X)  Y)  means  X  ^  Y  and  ...  X  S  Y.  For  instance,  to 

1  n 

state  that  MAX  is  greater  than  or  equal  to  any  element  in  an  array  A 
between  I  and  J,  we  assert 
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{LTQ  (STRIP  (BAGA  A  I  J) )  MAX) 


This  is  perhaps  not  quite  as  clear  as 

A[I]  £  MAX,  A[I+1]  5  MAX,  A[J]  ^  MAX 

but  we  prefer  it  to 

(Vu)  [I  S  u  A  u  S  J)  3)  Aj'u]  £  MAX] 

The  STRIP  operator  is  also  used  to  remove  parentheses  from  expres¬ 
sions  : 

(BAG  A  (STRIP  (BAG  BCD))) 
is 

(BAG  A  B  C  D) 

We  will  eventually  need  two  distinct  operators,  one  to  act  as  a 
quantifier  and  one  to  remove  parentheses,  but  the  single  operator  STRIP 
has  played  both  roles  so  far. 

C  .  ACCESS  and  CHANGE 

Arrays  cannot  be  treated  as  functions  because  their  contents  can  be 
changed,  wheras  functions  do  not  change  their  definitions.  Thus,  while 
f(x)  is  likely  to  mean  the  same  thing  for  the  same  value  of  x  at  differ¬ 
ent  times,  Afx]  is  not.  We  overcome  this  difficulty  by  adopting  McCarthy 
and  Painter’s  [1967]  functions  ACCESS  and  CHANGE  in  our  explication  of  the 
array  concept ; 

m  (ACCESS  A  I)  means  A[l]. 

•  (CHANGE  AIT)  means  the  array  A  after  the  assignment 
statement  A[l]  T  has  been  executed. 

We  do  not  propose  that  ACCESS  and  CHANGE  be  used  in  writing  programs  or 
assertions;  we  do  find  that  they  make  reasoning  about  arrays  simpler,  as 
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King  suspected  they  would  . 


The  next  sections  show  examples  of  some  fairly  difficult  proofs  pro¬ 
duced  by  the  deductive  system.  The  actual  traces  for  some  of  these  are 
included  in  Appendix  B. 
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VI  THE  REAL  NUMBER  QUOTIENT  ALGORITHM 


Very  little  work  has  been  done  to  prove  properties  of  programs  that 
work  on  the  real  numbers  or  the  floating  point  numbers,  although  there  is 
no  reason  to  believe  such  proofs  could  not  be  done.  Figure  2  shows,  for 
instance,  a  program  (Wensley  [1958],  Elspas  et  al .  [1972])  to  compute  an 
approximate  quotient  Y  of  real  numbers  P  and  Q,  where  0  ^  P  <  Q.  This 
is  an  interesting  and  computationally  plausible  algorithm.  It  uses 
only  addition,  subtraction,  and  division  by  two,  and  it  computes  a  new 
signigicant  bit  of  the  quotient  with  each  iteration. 

The  algorithm  can  be  understood  in  the  following  way.  At  the  be¬ 
ginning  of  each  iteration,  P/Q  belongs  to  the  half-open  interval  [y, Y+D). 
It  is  determined  whether  P/Q  belongs  to  the  left  half  or  the  right  half 
of  the  interval.  Y  and  D  are  adjusted  so  that  in  the  new  iteration, 
the  half-interval  to  which  Y  belongs  plays  the  role  of  the  interval 
[Y,  Y+D )  .  Thus  Y  becomes  a  better  and  better  approximation  for  P/Q. 

We  will  consider  here  only  one  path  through  this  program,  i.e., 
the  path  around  the  loop  that  follows  the  right  branch  of  the  test  P  <  A+B. 
We  will  prove  only  one  loop  assertion:  P  <  Y*Q  +  D*Q,  Our  verification 
condition  generator  supplies  us  with  the  following  hypotheses: 


0  £  P  , 

P  <  Q 

A  =  Q*Y  , 
2*B  =  Q+D 
P  <  Y*Q  +  D*Q 
Y*Q  £  P 
(D  <  E) 


(14) 

(15) 

(16) 

(17) 

(18) 

(19) 

(20) 
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TA-740522-9R 

FIGURE  2  THE  WENSLEY  DIVISION  ALGORITHM 
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P  <  A+B 


(21) 


The  goal  is  to  prove  from  these  hypotheses  that 

P  <  Q*Y  +  Q*(D/2)  .  (22) 

These  hypotheses  and  the  goal  were  constructed  in  a  manner  precisely 
analogous  to  the  generation  of  the  condition  for  the  previous  example  of 
computing  the  maximum  of  an  array. 

The  proof  goes  as  follows.  After  an  abortive  attempt  at  using  the 
assertion  (18),  the  system  tries  to  show  that  the  conclusion  follows 
from  (21)  .  It  therefore  tries  to  show  that 

A+B  s  Q*Y  +  Q*(D/2)  .  (23) 

This  goal  is  broken  into  the  following  two: 

A  ^  Q*Y  (24) 

B  5  Q=t'(D/2)  (25) 

Of  course,  this  strategy  will  not  always  be  successful.  However,  in 
this  case  goal  (24)  follows  from  (16),  whereas  (25)  reduces  to  (17). 

A  complete  trace  of  this  proof  and  listings  of  the  rules  required 
to  achieve  it  are  provided  in  Appendices  A  and  B. 
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VII  A  PATTERN  MATCHER 


As  an  experiment  in  the  incorporation  of  new  knowledge  into  the  sys¬ 
tem,  we  performed  the  partial  verification  of  a  simple  pattern  matcher 
and  a  recursive  version  of  the  unification  algorithm  [Robinson,  1965]. 

These  algorithms  were  of  special  interest  to  us  because  they  involve  conr- 
cepts  we  have  actually  used  in  the  implementation  of  the  QA4  program  it¬ 
self.  They  are  thus  in  some  sense  realistic,  although  neither  of  these 
programs  appears  literally  in  the  QA4  code.  The  subject  domain  is  as 
follows . 

We  assume  that  expressions  are  LISP  S-expressions  fMcCarthy,  1962]; 
for  example,  (F  X  (GAB))  is  an  expression.  Atomic  elements  are  designated 
as  either  constant  or  variable,  and  they  can  be  distinguished  by  the  use 
of  the  predicates  const  and  var .  Here  we  use  A,  B,  C,  F,  and  G  as  con¬ 
stants  and  U,  V,  W,  X,  Y,  and  Z  as  variables: 

•  var(X)  is  true 

•  const (A)  is  true 

•  var(A)  is  false 

•  var((X  Y) )  is  false. 

A  substitution  replaces  some  of  the  variables  of  an  expression  by 
terms.  Substitutions  are  represented  as  lists  of  dotted  pairs.  ((X  ‘A) 

(Y  t  (F  G) ) )  is  a  substitution.  Varsubst (s, e)  is  the  result  of  making 
substitutions  in  expression  e.  If  s  is 

({X  .  A)  (Y  .  (G  B)))  , 

and  e  is 

(F  X  A  (Y  B)) 
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then  varsubst (s, e)  Is 


(F  A  A  ((G  B)  B)) 

The  LISP  functions  car,  cdr,  list,  and  atom  can  be  used  to  manipulate 
expressions.  The  empty  substitution  is  denoted  by  EMPTY  and  has  no  ef¬ 
fect  on  an  expression.  An  operation  called  compose,  the  composition  of 
substitutions,  defined  by  Robinson  [1965],  has  the  following  property: 

varsubst(compose(sl,  s2),  e)  =  varsubst(sl,  varsubst(s2,  e)) 

The  problem  of  pattern  matching  is  defined  as  follows:  Given  two 
expressions  called  the  pattern  and  the  argument,  try  to  find  a  substitu¬ 
tion  for  the  variables  of  the  pattern  that  makes  it  identical  to  the  ar¬ 
gument.  We  call  such  a  substitution  a  match .  For  example,  if  the 
pattern  is 

(X  {Y  A  B)  X) 

and  the  argument  is 

(D  {C  A  B)  D)  , 

then  match(pat,  arg)  is 

((X  .  D)  (Y  .  O) 

If  there  is  no  substitution  that  makes  the  pattern  identical  to  the 
argument,  we  want  the  pattern  matcher  to  return  the  distinguished  atom 
NOMATCH.  Thus,  if  pat  is  {X  Y  X)  and  arg  is  (A  B  C) ,  then  match(pat,  arg) 
NOMATCH,  since  we  cannot  expect  X  to  be  matched  against  both  A  and  C. 

For  simplicity,  we  assume  that  the  argument  contains  no  variables. 

A  LISP-like  program  to  perform  the  match  might  be 
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match(pat,  arg)  =  prog  ((ml  m2) 

if  const (pat)  then  (if  pat  =  arg  then 
return (EMPTY)  else  return(NOMATCH)) 
if  var(pat)  then  return(list  (cons (pat,  arg))) 
if  atom(arg)  then  return (NOMATCH) 
ml  <-  match(car(pat) ,  car(arg)) 
if  ml  =  NOMATCH  then  return (NOMATCH) 
m2  *-  match(varsubst (ml,  cdr(pat)),  cdr(arg)) 
if  m2  =  NOMATCH  then  return (NOMATCH) 
return (compose  (m2,  ml)) 

The  program  does  the  appropriate  thing  in  the  case  of  atomic  patterns 
or  arguments,  and  it  calls  itself  recursively  on  the  left  and  right  halves 
of  the  expressions  in  the  nonatomic  case.  The  program  applies  the  substi¬ 
tution  found  in  matching  the  left  halves  of  the  expressions  to  the  right 
half  of  the  pattern  before  it  is  matched  so  as  to  avoid  having  the  same 
variable  matched  against  different  terms. 

We  have  proved  several  facts  about  a  version  of  this  program,  but 
we  focus  our  attention  here  on  one  of  them:  If  the  program  does  not  re¬ 
turn  MOMATCH,  then  the  substitution  it  finds  actually  is  a  match;  i.e., 
that  applying  the  substitution  to  the  pattern  makes  that  pattern  identi¬ 
cal  to  the  argument.  Thus,  the  output  assertion  is: 

match(pat,  arg)  ^  NOMATCH  o 
varsubst (match(pat,  arg),  pat)  =  arg 

Since  we  assume  the  argument  contains  no  variables,  the  input  asser¬ 
tion  is 


constexp (arg)  (26) 

We  have  verified  one  condition  for  the  longest  path  of  match  with  respect 
to  these  assertions.  This  path  is  followed  when  the  pattern- and  the  ar¬ 
gument  are  both  nonatomic  and  when  the  recursive  calls  on  match  success¬ 
fully  return  a  substitution.  In  writing  our  verification  condition,  we 
use  the  same  abbreviations  the  program  does,  i.e,. 
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ml  =:  match(car(pat) ,  car(arg)) 


and 


m2  =  match(varsubst(ml,  cdr(pat)),  cdr(arg)) 

In  proving  a  property  of  a  recursively  defined  program,  we  follow  Manna 
and  Pnueli  [19701  and  assume  that  property  about  the  recursive  call  to 
the  program.  Thus,  for  this  program  we  have  the  inductive  hypotheses 

constexp( car ( arg) )  A  m2  ^  NOMATCH  Z) 
varsubst(ml,  car(pat))  =  car(arg) 

(the  program  works  for  the  car  of  the  pattern)  and 

constexp(cdr  (arg) )  A  m2  ^  NOMATCH  z) 
varsubst(m2,  varsubst(ml,  cdr(pat)))=  cdr(arg)  .  (28) 

(the  program  works  for  the  instantiated  cdr  of  the  pattern)  ,  The  verifi¬ 
cation  condition  generator  would  split  both  of  these  hypotheses  into 
three  cases;  we  will  consider  only  the  case  in  which  the  antecedents  of 
both  implications  are  ture .  Hence,  we  assume  that  both  the  recursive 
calls  to  the  pattern  matcher  succeed  in  finding  matches . 

By  the  path  we  have  taken  through  the  program,  we  know  that 

const(pat)  (29) 

(the  pattern  is  not  a  constant) . 

var(pat)  (30) 

(the  pattern  is  not  a  variable)  . 

atom(arg)  (31) 

(the  argument  is  not  an  atom) ,  Since  for  this  path 

match(pat,  arg)  =  compose(m2,  ml)  , 
the  goal  is  to  prove 
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varsubst  (coiTpose(m2,  ml),  pat)  =  arg 


(32) 


The  proof  produced  by  the  system  proceeds  as  follows  .  The  goal  is  split 
into  two  subgoals : 

varsubst (compose (m2,  ml),  car(pat))  =  car{arg)  (33) 


and 


varsubst (compose(m2,  ml),  cdr(pat))  =  cdr{arg)  .  (34) 

From  the  property  of  "compose, "  the  first  goal  is  simplified  to 
varsubst(m2,  varsubst(ml,  car(pat)))  =  car(arg) 


Since 


varsufast(ml,  car(pat))  =  car(arg) 
by  (27),  this  simplifies  to 

varsubst  (Tn2,  car(arg))  =  car(arg) 

Since  arg  contains  no  variables,  neither  does  car(arg)  .  Thus,  the  goal 
simplifies  to 

car(arg)  =  car(arg) 

The  proof  of  (34)  is  even  simpler: 

varsubst (compose (m2,  ml),  cdr(pat)) 

simplifies  to 

varsubst{m2,  varsubst (ml,  cdr{pat))) 

We  know  by  our  hypothesis  (28)  that 

varsubst(m2,  varsubst(ml,  cdr(pat)))  =  cdr(arg)  ■  . 
and  this  completes  the  proof. 

This  proof  required  not  only  that  we  add  new  rules  describing  the 


37 


concepts  involved,  but  also  that  we  extend  certain  of  our  older  capabili¬ 
ties,  particularly  our  ability  to  simplify  expressions  using  known  equal¬ 
ities,  A  complete  trace  of  the  proof  is  included  in  Appendix  B. 

We  worked  nearly  a  week  before  the  system  was  able  to  do  this  proof. 
However,  once  the  proof  was  completed,  the  effort  necessary  to  enable  the 
system  to  do  the  proof  of  the  unification  algorithm  was  minimal.  The  lat¬ 
ter  proof,  though  longer  than  this  one,  did  not  require  much  additional 
intellectual  capacity  on  the  part  of  the  deductive  system.  We  do  not 
show  that  proof  here  because  it  is  similar  to  the  pattern  matcher  proof, 
but  we  Include  the  program  and  the  assertion  we  proved  about  it. 
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VIII  THE  UNIFICATION  ALGORITHM 


The  problem  of  unification  is  similar  to  that  of  pattern  matching 
except  that  we  allow  both  arguments  to  contain  variables.  We  expect  the 
algorithm  to  find  a  substitution  that  makes  the  two  arguments  Identical 
when  it  is  applied  to  both,  if  such  a  substitution  exists .  For  example, 
if  X  is  (F  U  A)  and  y  is  (F  B  V),  then  unify(x,  y)  is  ( (U»B) (V*A) ) ,  where 
U  and  V  are  variables  and  A,  B,  and  F  are  constants  . 

A  simple  program  to  unify  x  and  y  is 

unlfy{x,  y)  =  prog((ml  m2) 
if  X  =  y  then  return(EMPTY) 
if  var(x)  then 

return(if  occursin(x,  y)  then  NOMATCH 

else  list  (cons(x,  y))) 

if  var(y)  then 

return(if  occursin(y,  x)  then  NOMATCH 

else  list  (cons(y,  x) ) ) 
if  atom(x)  then  return (NOMATCH) 
if  atom(y)  then  return (NOMATCH) 
ml  ^  unify(car (x) ,  car(y)) 
if  ml  =  NOMATCH  then  return (NOMATCH) 
m2  •-  unify (varsubst  (ml ,  cdr{x)), 
varsubst(ml,  cdr(y))) 
if  m2  =  NOMATCH  then  return (NOMATCH) 
return (compose (m2,  ml))) 

The  predicate  occursin(u, v)  tests  if  u  occurs  in  v.  This  program  is 
a  recursive,  list-oriented  version  of  Robinson's  iterative,  string- 
oriented  program.  Again,  we  have  verified  only  the  longest  path  of  the 
program,  not  the  entire  program.  Furthermore,  we  have  proved  not  the 
strongest  possible  statement  about  this  program,  but  only  that 

unify(x,y)  ^  NOMATCH  ri 

varsubst (unify (x, y) ,  x)  =  varsubst(unify(x, y) ,  y) 
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IX  THE  FIND  PROGRAM 


The  program  FIND,  described  by  Hoare  ri961“|  is  intended  to  rearrange 
an  array  A  so  that  all  the  elements  to  the  left  of  a  certain  index  F  are 
less  than  or  equal  to  A[f1,  and  all  those  to  the  right  of  F  are  greater 
than  or  equal  to  A[F].  In  other  words,  the  relation  (STRIP  (BAGA  A  1  F-1)) 
<  A[F]  s  (STRIP  (BAGA  A  F+1,  NN) )  should  hold  when  the  program  halts. 

For  instance,  if  F  is  NNf2,  then  A[F]  is  the  median  of  the  array.  The 
function  is  useful  in  computing  percentiles  and  is  fairly  complex. 

Hoare  remarks  that  a  sorting  program  would  achieve  the  same  purpose 
but  would  usually  require  much  more  time;  the  conditions  for  FIND  are 
much  weaker  in  that,  for  example,  the  elements  to  the  left  of  F  need  not 
be  sorted  themselves,  as  long  as  none  of  them  are  greater  than  AfF]  . 
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The  ALGOL  representation  of  FIND  is  as  follows: 


BEGIN 

INTEGER  M,N; 

M  -  1; 

N  -  NN; 

raiLE  M  <  N  DO 

BEGIN  INTEGER  R, I,J; 

R  ^  A[F]; 

I  -  M; 

J  -  N; 

IVHILE  I  £  J  DO 

BEGIN  WHILE  A[lJ  <  R  DO  I  ^  I+l ; 

WHILE  R  <  A[J]  DO  J  -  J-1; 

IF  I  ^  J  THEN 
BEGIN  EXCHANGE (A  I  J) 

I  -  I+l 
J  ^  J-1 

END 

END 

IF  F  ^  J  THEN  N  -  J 

ELSE  IF  I  ^  F  THEN  M  ^  I 
ELSE  GO  TO  L 

END 

L: 

END 

The  general  strategy  of  the  program  FIND  is  to  move  "small"  elements 
to  the  left  and  "large"  elements  to  the  right.  These  relative  size  cate¬ 
gories  are  defined  as  being  less  than  or  not  less  than  an  arbitrary  array 
element .  The  algorithm  scans  the  array  from  left  to  right  looking  for  a 
large  element;  when  it  finds  one,  it  scans  from  right  to  left  looking 
for  a  small  element .  When  it  finds  one,  it  exchanges  the  large  element 
and  the  small  element  it  has  already  found,  and  the  scan  from  the  left 
continues  where  it  left  off  until  the  next  large  element  is  found,  and 
so  on.  When  the  scan  from  the  left  and  the  scan  from  the  right  meet  some¬ 
where  in  the  middle,  they  define  a  split  in  the  array.  We  can  then  show 
that  all  the  elements  to  the  left  of  the  split  are  small  and  all  those 
to  the  right  are  large. 
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The  index  F  can  be  either  to  the  left  or  to  the  right  of  the  split, 
but  suppose  it  is  to  the  left.  Then  the  elements  to  the  right  of  the 
split  can  remain  where  they  are;  they  are  the  largest  elements  in  the 
array,  and  the  element  that  will  ultimately  be  in  position  F  is  to  the 
left  of  the  split.  We  then  disregard  the  right  portion  of  the  array  and 
repeat  the  process  with  the  split  as  the  upper  bound  of  the  array  and 
with  a  refined  definition  of  "large"  and  "small."  We  will  eventually 
find  a  new  split;  suppose  this  split  is  to  the  left  of  F.  We  can  then 
leave  in  place  the  elements  of  the  array  to  the  left  of  the  split  and 
work  only  with  the  elements  to  the  right;  we  readjust  the  left  bound  of 
the  array  to  occur  at  the  split,  and  we  repeat  the  process.  Thus,  the 
left  and  right  bounds  of  the  array  move  closer  and  closer  together,  but 
they  always  have  F  between  them.  Finally,  they  meet  at  F,  and  the  algo¬ 
rithm  halts  . 

The  flow  chart  in  Figure  3  follows  Hoare's  algorithm  closely. 

In  this  program,  I  is  the  pointer  for  the  lef t-to-right  scan,  J  is 
the  pointer  for  the  right-to-left  scan,  M  and  N  are  the  lower  and  upper 
bounds  of  the  "middle"  portion  of  the  array,  and  R  is  the  value  used  to 
discriminate  between  small  and  large  array  elements.  Hoare  [1971]  pro¬ 
vided  an  informal  manual  proof  of  the  correctness  of  his  program,  Iga- 
rashi,  London,  and  Luckham  [1973]  have  produced  machine  proofs.  The 
proof  we  obtained  required  a  minimal  number  (three)  of  intermediate  as¬ 
sertions;  however,  one  of  the  verification  conditions  produced  was  quite 
difficult  to  prove.  This  condition  corresponds  to  the  statement  that  the 
elements  to  the  right  of  the  right  boundary  dominate  the  elements  to  its 
left  after  an  exchange  is  performed  and  a  new  right  boundary  is  established. 
We  present  a  sketch  of  that  proof  below. 
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FfGURE  3  THE  ?PND  PROGRAM 
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A. 


Assertions  for  FIND 


The  input  assertion  q  for  FIND  is  (the  conjunction  of) 

s 

1  £  F  <  NN 
A  =  AP 

The  array  AP  is  the  initial  version  of  A;  we  define  it  in  the  input  as¬ 
sertion  so  that  we  can  refer  to  it  after  we  have  modified  A. 


The  output 


assertion 


is 


(STRIP  (BAGA  A  1  F-1))  ^  A[F]  g  (STRIP  (BAGA  A  F+1,  NN) ) 
(BAGA  A  1  NN)  =  (BAGA  AP  1  NN) 


The  second  conjunct  of  q 


H 


states 


that  when  the  program  terminates, 


the  array  A  is  indeed  a  permutation  of  the  initial  array  AP. 


The  intermediate  assertion  q^  is 
l^M^F^NsNN 

(STRIP  (BAGA  A  L  M-1))  s  (STRIP  (BAGA  A  M  NN) ) 

(STRIP  (BAGA  AIN))  £  (STRIP  (BAGA  A  N+1  NN) ) 
(BAGA  A  1  NN)  =  (BAGA  AP  1  NN) 


This  assertion  is  reached  whenever  a  new  bound  on  the  middle  section  of 
the  array  is  established. 


The 


assertion 


is 


ISM^F^N^NN 

(STRIP  (BAGA  A  1  M-1))  S  (STRIP  (BAGA  A  M  NN) ) 

(STRIP  (BAGA  A  1  N))  ^  (STRIP  (BAGA  A  N+1  NN) ) 

M  £  I 
J  ^  N 

(STRIP  (BAGA  A  1  I-l))  <  R  £  (STRIP  (BAGA  A  J+1  NN) ) 
(BAGA  A  1  NN)  =  (BAGA  AP  1  NN) 


The 


assertion 


is  the  same  as  the  assertion  q  , 


conjunct 


with  the  additional 


R  £  A[I] 
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B. 


The  Proof 


All  but  one  of  the  verification  conditions  for  this  program  were 
proved  fairly  easily.  The  one  difficult  condition  corresponds  to  the 
path  beginning  at  that  follows  the  heavy  line  and  finally  ends  at  . 
The  verification  condition  generator  supplied  us  with  the  following 


hypotheses : 

1:£M£FsNsNN  (35) 

(STRIP  (BAGA  A  I  M-1) )  £  (STRIP  (BAGA  A  M  NN) )  (36) 

(STRIP  (BAGA  AIN))  S  (STRIP(BAGA  A  N+1  NN) )  (37) 

M  5  I  (38) 

J  £  N  (39) 

(STRIP  (BAGA  A  1  I-l))  ^  R  S  (STRIP  (BAGA  A  J+1  NN) )  (40) 

R  5  A[I]  (41) 

(BAGA  AP  1  NN)  =  (BAGA  A  1  NN)  '  (42) 

(R  <  A[J])  (43) 

I  S  J  (44) 

-,(1+1  S  J-1)  (45) 

F  S  J-1  .  (46) 

The  interesting  consequence  for  this  path  is 

(STRIP  (BAGA  A'  1  J-1))  ^  (STRIP  (BAGA  A'  (J-l)+l  NN) )  (47) 

where 

A'  =  (EXCHANGE  A  I  J)  , 


the  array  that  results  when  elements  Afll  and  A[J]  are  interchanged  in  A. 

The  proof  sketched  below  roughly  parallels  the  proof  produced  by  the 
inference  system.  Portions  of  the  trace  are  shown  in  Appendix  B. 

The  (J-l)+l  term  in  the  goal  (47),  is  simplified  to  J,  giving  the 

goal 
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(STRIP  (BAGA  A'  1  J-1))  5  (STRIP  (BAGA  k'  J  NN) ) 


(48) 


The  difficulty  in  the  proof  arises  from  the  uncertainty  about  whether 
J  <  I.  We  are  reasoning  about  an  array  segment,  and  it  is  not  clear 
whether  that  segment  is  affected  by  the  exchange  or  not.  Hand  analysis 
of  hypothesis  (44)  and  (45)  reveals  that  I  =  J  or  I  =  J-1.  The  value  of 
a  term  like  (BAGA  (EXCHANGE  A  I  J)  1  J-1)  depends  on  which  possibility  is 
actually  the  case  . 

The  system  "simplifies"  the  term  into 

(IF  J  :£  I  THEN  (BAGA  A  1  J-1) 

ELSE  (BAG  (STRIP  (BAGA  A  1  I-l)) 

A[J] 

(STRIP  (BAGA  A  I+l  J-1)))) 

Intuitively,  if  J  s  I,  then  both  I  and  J  are  outside  the  bounds  of  the 
array  segment,  whereas  if  I  <  J,  then  the  array  segment  loses  A[l]  but 
gains  A[ J ] . 

Similarly,  the  term 

(BAGA  (EXCHANGE  A  I  J)  J  NN) 

is  "simplified"  into 

(IF  J  S  I  THEN  (BAGA  A  J  NN) 

ELSE  (BAG  (STRIP  (BAGA  A  J  J-1)) 

A[n 

(STRIP  (BAGA  A  J+1  NN) ) ) ) 

Note  that  (BAGA  A  J  J-1)  is  empty;  the  ELSE  clause  is  then 
(BAG  A[I]  (STRIP  (BAGA  A  J+1  NN) ) ) 
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Our  goal  can  thus  be  reduced  to  showing  that 


(IF  J  ^  I  THEN  (STRIP 
ELSE  (STRIP 


(BAGA  A  1  J-D) 

(BAG  (STRIP  (BAGA  A  1  I-l)) 

A[J] 

(STRIP  (BAGA  A  I+J  J-1))))) 


£ 


(IF  J  ^  I  THEN  (STRIP 
ELSE  (STRIP 


(BAGA  A  J  NN)) 

(BAG  A[l] 

(STRIP  (BAGA  A  J+1  NN) ) ) ) ) 


.  (49) 


The  system  approaches  the  conditional  expression  by  creating  two  contexts 
In  one  context,  J  ^  I  holds,  and  in  the  other,  I  <  J  is  true.  In  the 
first  context  we  must  prove  that 

(STRIP  (BAGA  A  1  J-1))  (STRIP  (BAGA  A  J  NN) )  .  (50) 


In  the  second  context,  the  statement  to  be  proved  is 


(STRIP  (BAG  (STRIP  (BAGA  A  1  I-l)) 
A[J1 

(STRIP  (BAGA  A  I+l  J-1)))) 


(STRIP  (BAG  A[I1 

(STRIP  (BAGA  A  J+1  NN) ) ) ) 


(51) 


Note  that  in  the  first  context,  J  =  I  by  (44).  In  working  on  (50), 

(BAGA  A  J  NN)  is  expanded  to  (BAG  A[j]  (STRIP  (BAGA  A  J+1  NN))) .  Thus, 
(50)  breaks  into  two  subgoals: 

(STRIP  (BAGA  A  1  J-1))  £  A[J]  (52) 

and 

(STRIP  (BAGA  A  1  J-1))  ^  (STRIP  (BAGA  A  J+1  NN) )  .  (53) 

Since  I  =  J,  (52)  follows  from  (40)  and  (41),  arid  (53)  follows  from  (40) 
alone . 

Work  on  the  goal  (51)  proceeds  in  the  second  coritext,  in  which  I  ^  J 
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Since  J-1  s  I+l  (11),  we  know  (BAGA  A  I+l  J-1)  is  empty.  The  inequality 


(51)  may  thus  be  broken  into  four  inequalities; 

(STRIP  (BAGA  A  1  I-l))  S  A[l]  ,  (54) 

(STRIP  (BAGA  A  1  I-l))  S  (STRIP  (BAGA  A  J+1  NN) )  ,  (55) 

A[J]  ^  A[I]  ,  (56) 

and 

AfJ]  (STRIP  (BAGA  A  J+1  NxV) )  .  (57) 


Line  (54)  follows  from  hypotheses  (40)  and  (41) .  Goal  (55)  follows  from 
(40) .  Goal  (57)  follows  from  (43)  and  (40)  .  This  completes  the  proof. 

This  proof  is  the  longest  achieved  by  our  deductive  system  so  far. 
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X  SUMMARY  OF  RESULTS 


Complete  proofs  have  been  found  of  the  correctness  of  the  following 
algorithms : 

«  Finding  the  largest  element  of  an  array 

•  Finding  the  quotient  of  two  real  numbers 

•  Hoare's  FIND  program 

•  The  Euclidean  algorithm  for  finding  the  greatest  common 
divisor 

•  The  exponentiation  program  from  King's  thesis 

•  Integer  quotient  and  remainder 

•  Integer  multiplication  by  repeated  addition 

•  The  factorial. 

Theorems  have  been  proved  about  the  following  algorithms: 

•  The  pattern  matcher. 

•  Unification. 

•  Exchanging  two  array  elements  (the  theorem  is  that  the  bag 
of  the  contents  of  the  array  is  unchanged) . 

•  King's  exchange  sort. 

We  believe  the  system  now  has  the  power  to  do  all  of  King's  problem 
set  except  the  linear  inequalities  problem,  which  is  not  really  a  proof 
about  an  algorithm. 
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XI  FUTURE  PLANS 


We  are  currently  applying  the  verifier  to  more  and  more  complex 
programs  in  a  variety  of  subject  domains .  We  are  continuously  being 
forced  to  add  new  rules  and  occasionally  to  generalize  old  ones;  a  spe¬ 
cial  purpose  rule  that  worked  for  one  problem  may  not  work  for  the  next. 

The  deductive  system  is  implemented  in  the  QA4  language.  Although 
QA4  is  ideally  suited  for  expressing  our  rules,  it  is  an  experimental  sys¬ 
tem  evaluated  by  an  interpreter  and  is  written  in  LISP;  furthermore,  it 
uses  space  inefficiently.  R.  Reboh  and  E.  Sacerdoti  are  in  the  process 
of  integrating  QA4  into  BBN-LISP  to  produce  a  system  known  as  QLISP 
[Reboh  and  Sacerdoti,  1973],  QLISP  programs  will  be  LISP  programs  that 
can  be  evaluated  by  the  LISP  interpreter  or  even  compiled.  Furthermore, 
QLISP  is  much  more  conservative  in  its  use  of  space.  We  expect  that 
this  system  will  be  considerably  faster  and  more  compact  than  the  exist¬ 
ing  system.  Our  deductive  system  is  already  being  translated  into  QLISP. 

QA4  subtly  encourages  its  users  to  write  depth-first  search  strate¬ 
gies,  since  it  implements  the  goal  mechanism  by  means  of  backtracking. 

The  deductive  system  uses  depth-first  search,  and  for  the  most  part,  this 
has  been  the  proper  thing  to  do.  There  have  been  times,  however,  when  we 
have  felt  the  need  for  something  more  discriminating .  Suppose,  for 
example,  we  are  trying  to  prove  an  expression  of  the  form  x  =  y.  We 
can  do  this  by  trying  to  simplify  x  and  then  proving  that  the  simplified 
X  is  equal  to  y,  or  we  can  try  to  find  some  assertion  a  =  b  and  prove 
X  =  a  and  y  =  b.  In  the  current  system,  we  must  exhaust  one  possibility 
before  trying  another,  whereas  we  would  like  to  be  able  to  switch  back 
and  forth  between  different  approaches,  giving  more  attention  to  the  one 
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that  currently  seems  to  be  making  the  best  progress.  In  other  words,  we 
hope  to  use  processes  rather  than  backtracking  in  the  implementation  of 
the  goal  mechanism. 

Finally,  we  hope  to  apply  this  work  to  the  generation  of  counter¬ 
examples  for  "wrong”  programs,  to  the  generation  of  Floyd  assertions, 
and  to  the  automatic  construction  of  programs.  It  seems  inevitable  that 
if  we  know  how  to  reason  about  programs,  that  reasoning  should  be  able 
to  help  us  in  the  process  of  forming  or  changing  a  program.  Rather  than 
taking  a  handwritten  and  hand-debugged  program  to  a  verifier  for  approval, 
we  hope  to  collaborate  with  a  system  that  will  play  an  active  role  in  the 
creation  of  the  algorithm. 
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Appendix  A 


LISTING  OF  THE  DEDUCTIVE  SYSTEM 


Appendix  A 


THE  DEDUCTIVE  SYSTEM 


The  deductive  system  has  the  overall  structure  shown  in  Figure  4. 

The  names  on  the  chart  are  either  function  names  or  goal  classes.  Only 
important  substructures  are  included . 

An  annotated  listing  of  the  programs  used  for  reasoning  is  presented 
below.  An  index  of  functions  and  goal  classes  is  included  at  the  end  of 
this  appendix.  The  reader  will  note  how  little  of  the  space  is  devoted  to 
general  strategies  and  how  much  is  devoted  to  subject-specific  knowledge. 
Some  of  the  programs  use  QA4  features  that  are  not  described  in  this  pa¬ 
per,  The  reader  can  rely  on  the  English  explication  of  the  programs,  or 
he  can  refer  to  the  QA4  manual  (Rulifson  et  al .  [1973]). 

To  start  a  deduction,  we  say  to  the  system 

(GOAL  $PROVE{some  statement)) 

•  PROVE  is  a  goal  class: 

(TUPLE  ANDSPLIT  ORSPLIT  OPSPLITMANY  PROOFSWITCH) 

■  PROOFSWITCH  determines  whether  the  goal  is  an  equality,  otherwise 
it  is  assumed  to  be  an  inequality. 


*  Bullets  are  used  to  indicate  the  beginning  of  the  description  of  a 
new  function . 
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PROVE 

PROOFSWITCH 


FIGURE  4  STRUCTURE  OF  THE  DEDUCTIVE  SYSTEM 


IT.nOFSUl  TClt  (LAriBDA  (-F  -K) 

(FROG  (DECI  AF.'E) 

(IF  (EDUAL  «F  {QUOTE  EQ) ) 
TUEtT 

inOAi  5(EaF?I.ILES  {55F  SX)) 
ELGE 

(GOAL  IIIMEOUALITIES 
(«F  UX))) 

(AGGFRi  {!:F  {(Xn 
(RElUFil  '.nF  iiXlt 


In  either  case,  the  appropriate  set  of  rules  is  applied. 


1 .  Equalities 


•  The  equality  class  is 

EURULES  = 

fTUFLE  AMDGFLIT  RELCHECk:  EQTinGSDI VIDE  EQSUDST  LEIBT  LEIBF 
LEIRG  l  EIB?  EQSiriF  FROOFI  t  i I'-l ) 

•  The  rule  ANDSPLIT  takes  a  goal  that  is  a  conjunction  of  two  or  more 
expressions^  and  tries  to  prove  each  conjunct  independently. 


AMDSP!..!  T=(LAHBDA  (AMD  ^X 

(ATTEIIPT  (GOAL  IfGOALCLASS  SX)  ' 

THEN 

(ATTEI1FT  (GOAL  SGOALCLASS 
(AMO  UY)) 

ELSE 

(FAIL)) 

ELSE 

(FAIL] 


If  repeated  applications  of  ANDSPLIT  are  successful  eventually,  the  goal 
(AND)  will  be  generated.  However,  (AND)  is  an  assertion  in  the  data  base, 
and  so  the  rule  will  then  succeed . 


•  ORSPUT  applies  to  a  goal  that  is  the  disjunction  of  two  expressions 


+  The  right  bracket  represents  a  string  of  right  parentheses  long  enough 
to  balance  the  expression. 

4=  Variables  with  double  prefixes,  or  "$$,  "  respectively  match  or 

evaluate  to  a  sequence  of  terms  rather  than  a  single  term.-  In  the  rule, 
for  example,  Y  can  be  bound  to  a  set  of  terms,  including  the  empty  set . 
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and  works  on  each  separately. 


(IRSPLI  T=(LAnB0A  (OR  -X  f-Y) 

(ATTEilPT  (GOAL  SG0ALCLA5S  SX) 

ELSE 

(GOAL  «GOALCLASS  «VJ 

The  expression  x  is  attempted  as  a  goal  first;  if  this  is  successful,  we 
are  done.  Otherwise,  ORSPLIT  works  on  y;  if  it  is  unsuccessful,  then  a 
failure  is  generated. 

•  ORSPLITMANY  is  similar  to  ORSPLIT,  except  that  it  takes  as  a  goal  the 
disjunction  of  three  or  more  expressions : 


OR&PL.ITMANY  =(LAnBDA 


(OR  -X  <-Y  >-1  <-^U) 

(ATTERPT  (GOAL  ftGOALCLASS  »X) 
ELGE 

(GOAL  ItGOALCLASS 

(OR  ttV  15Z  BSU] 


The  expression  x  is  attempted  first;  if  the  proof  is  successful,  the  dis¬ 
junction  is  true.  Otherwise,  the  disjunction  of  the  remaining  expressions 
is  established  as  a  new  goal.  Continued  failure  to  prove  members  of  a 
disjunction  will  eventually  cause  ORSPLIT  to  be  invoked . 

•  The  rule  RELCHECK  merely  checks  the  property  lists  of  the  expressions 
to  see  if  they  are  already  known  to  be  equal: 

r;ELCMErK=lLAnBOA  .-X  (15REL?  BXl  ) 

When  RELCHECK  is  applied,  x  is  bound  to  an  equality  statement,  which  is 
fed  to  the  ISREL?  statement ,  ISREL?  will  succeed  not  only  if  the  equality 
has  been  explicitly  asserted,  but  also  if  the  equality  follows  by  the 
transitive  law  from  other  equalities  or  inequalities .  ISREL?  is  the 
mechanism  for  making  queries  about  special  relations.  It  will  work  with 
inequality  relations,  such  as  LT,  GTQ,  and  NEQ,  as  well  as  EQ. 

EQTIMESDIVIDE  and  EQSUBST  are  rules  for  reasoning  about  numbers  and 
substitutions,  respectively.  They  are  discussed  in  the  relevant  sections. 
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I  t:iBF=  (LArinciA  ieq  {--f  -x) 

(-F  -Y)) 

(FROG  (DECLARE) 

(SASK  (•  (EG  »X  ttY)) 
F'RLivE?) 

(GOAL  liEOROLES  (EQ  ((X  SY] 


l.E[P.T=  (LAdBOA  (EQ  (TUf-l.E  -X  --Z) 

(TUriE  -Y  --U)) 

(PROG  (DECLARE) 

(GOAL  JIEQRULES  (EQ  8X  ttY)  ) 
(GCAL  ((EOnULES  (EQ  ttZ  iJU] 


l.E]R;;(=(I.Af1PDA  (EQ  (GET  -X  <-Z) 

(GET  <-Y  •-•-Z)) 

(GOAL  (IEQRIjLES  (EQ  i(X  aV) 


(  EIPB=(l  AdRDA  (EO  (BAC-  -X  --Z) 

(BAG  -Y  .--Z)) 

(GOAL.  StEOROLEG  IFQ  ifX  (!Y] 


The  LEIBF  rule  asks  the  user  if  he  wants  that  rule  to  he  applied.  The 
function  ASK  that  performs  the  interaction  is  described  in  the  section 
on  utility  functions. 

•  EQSIMP  and  PROOFLEIB  are  very  time  consuming  but  also  very  powerful, 
EQSIMP  says  that  to  prove  x  =  y,  simplify  x  and  try  to  prove  that  the 
simplified  x  is  equal  to  y. 

i:qgiitp=[la(idda  ceq  -x  -y) 

(PROG  (DECLARE) 

(GETQ  -X  (itSinrOME  IIX)) 

.(GOAL  CEQRllLEG  (EQ  ItX  8Y) ) ) 

BAOKTRACk j ) 

Since  the  program  uses  the  BACKTRACK  option,  and  since  EQ  implicitly 
takes  a  set  as  its  argument,  EQSIMP  can  work  on  y  as  well  as  on  x.  In 
other  words,  if  it  fails  to  simplify  x,  it  will  go  ahead  and  try  to  sim¬ 
plify  y- 

•  PROOFLEIB  tries  to  make  use  of  information  stored  in  the  data  base. 
It  is  used  to  prove  inequalities  as  well  as  equalities  . 
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f-'ROuFl.t:iP=(LAnBCtA  (-r  .-X) 

(PROG  (DtilLARE) 

(EXISTS  (UP  -Y)) 

(SA5K  (•  (EQ  UK  «Y) ) 
PROVE?) 

(GOAL  ifEQROLES  (EQ  tfX  »Y] 


It  says;  to  prove  u  =  v,  find  an  assertion  of  the  form  a  =  b  and  prove 
u  =  a  and  v  =  b.  It  relies  on  user  interaction  to  cut  off  bad  paths. 
Note  that  if  F  is  EQ,  we  can  expect  X  and  Y  to  be  sets,  so  that  LEIBS 
will  ultimately  be  called  to  prove  the  equality  expression  generated  by 
PROOFLEIB. 


2  .  Inequalities 


We  now  turn  to  the  rules  for  proving  Inequalities. 


iMEU(.IAl  ITIES 

(TOT-'IE  AMDSPLIT  RELRHECK'  DHSPLIT  ORSPLITMANY  PROOFS  I  (IP 
illEQIFTHEMELSE  INEQSTRIFBAG  I NEQSTRIFSTRIP 
IMEaSTRlFTPAN  GTDLTh  LTOnANY  FSUBTRACTi  FSUBTRACT2 
IMEQTIflESDIVlDE  EQlMEQnUMOTONE  LTQFLUS  FROOFLEIB 
ifiEQLEIB)) 


RELCHECK  has  been  mentioned  above . 


•  GTQLTQ  says  that  to  prove  y  >  x,  try  to  prove  x  s  y: 

r.TQLTQ  =(LAriBDA  (GTQ  -Y  -X) 

(GOAL  81NE0UAL.ITIES  (LTQ  8X  8Y3 

•  LTQMANY  takes  an  inequality  goal,  such  as 


X  £  X  £  ...  S  X 

12  n 


and  breaks  it  into  separate  goals, 


X  <:  X  and  x  s  x  and  .  .  .  x  ,  s  x 
1  2  2  3  n- 1  n 


I  TQIiANY  JLAdBDA  (LTQ'i^X  ^Y  *-2 
(PROG  (DECLARE) 

•  (GOAl.  aiMEOLlALITiES  (LTQ  8X  8Y)  ) 
(COAL  8IfTEQUALITIES 
(LTQ  «Y  «Z  ttSU] 
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LTQPLUS,  FSUBTRACTl,  and  FSUBTRACT2  are  special  rules  for  reasoning 


about  numbers  and  are  discussed  in  the  relevant  section. 


•  PROOFSIMP  proves  an  expression  F(Y)  by  trying  to  simplify  Y  and 
proving  the  simplified  expression. 


l■R^D^sln^=  (LArifiDA  (faijd  (-f  <-y)) 

(FROG  (DL'CIAFG  fAiALCLASSl) 

(SETU  -GOAl.Cl  A5S1  SGOALCLASS) 
(ATTD'IPT  (GETO  *-X  (L^ARGSIMP  liX) ) 
ELSE 
(FAIL)  ) 

(GOAL  UIYOALCLASSl  J5X] 


It  has  more  general  application  than  just  to  inequalities,  although  so 
far  we  have  used  it  only  for  inequalities . 


•  INEQLEIB  is  similar  to  PROOFLEIB,  but  it  works  only  for  inequalities. 


IMEOLEIP^dAflPDA  (4.  -X  -Y) 

(PROG  (DECLARE  LOUER  UPPER) 

(EXISTS  (liL  .-LOUER  .-UPPER}) 
(3ASK  PROVE  {’  (LTQ  GX  GLOWER)) 
AND 

(’  (LTQ  GUPPER  GY)) 

?) 

(GOAL  8IMEQUALITIES 

(AND  (LTQ  GX  GLOWER) 

(LTQ  GLIPPER  GY) 


L  is  expected  to  be  LT  or  LTQ.  To  prove  x  <  y,  for  example,  find 
an  asserted  statement  LOWER  <  UPPER  and  prove  x  s  LOWER  and  UPPER  <  y . 
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INEQIFTHENELSE  is  a  rule  that  sets  up  a  case  analysis: 


lNLTiIFTIIEl'£L';.L=(LArinDA  f-F  <-Ul  ([FTHENELGE  <-X  <-Y  -Z) 

(PROG  IDtQ.ARE  VERlCOiM) 

(ATTEMPT  (5ETQ  -VERICON 

(CONTEXT  PUSH 

LOCAL)) 

(ASSERT  DX  URT  ItVERICON) 

THEM 

(GOAL  8 INEQUALITIES 

(CF  88U1  8Y  8ttU2) 
URT  8VERICDN)) 
(ATTEMPT  (SETQ  -VERICDN 

(CONTEXT  PUSH 

LOCAL) ) 

(OENY  8X  URT  SVERICON) 

THEN 

(GOAL  8 INEQUALITIES 

(8F  B8U1  8Z  88U2) 
URT  8VERICON) 

ELSE 

(RETURN  (SUCCESS  UITH 
INEQIFTHENELSE] 


For  example,  suppose  the  goal  is  (IF  x  THEN  y  ELSE  z)  <  w .  This  rule 
establishes  two  subcontexts  of  the  local  context.  In  one  of  these  con¬ 
texts,  X  is  true;  in  the  other,  x  is  false.  In  the  first  context,  the 
rule  tries  to  prove  y  s  w,  whereas  in  the  second,  it  tries  to  prove  z  ^  w. 
Note  that  the  system  that  stores  equalities  and  inequalities  will  cause 
a  failure  if  an  assertion  (or  a  denial)  would  lead  it  to  contraciict  what 
it  knows.  In  that  case  the  goal  is  considered  to  be  achieved. 

•  INEQSTRIPBAG  is  an  inequality  rule  that  has  a  bag  as  one  of  its 
arguments . 


lNEQSTniPBAG=(LAMBOA  (-F  -^U  (STRIP  (BAG  ^X  -^Y) ) 

^^Z) 

(GOAL  8 INEQUALITIES 

(AND  (8F  88U  8X  UZ) 

(8F  8SU  (STRIP  (BAG  SBY) ) 
8SZ] 
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This  rule  would  be  invoked  when  we  want  to  show,  for  example,  w^  < 

(STRIP  (BAG  c  c  ...  ))  s  w  The  intention  here  is  to  demonstrate 
12  2  ■ 

that  w  ^  c  ^  w  and  ^  <  c  <  w  and  so  forth.  Ultimately,  we  might 

L  i  2  i  2  2 

have  to  demonstrate  that  w  s  (STRIP  (BAG))  s  w  .  The  special  relations 

1  ^ 

handler  (ISREL?)  succeeds  vacuously  with  any  inequality  relation  where 
one  of  the  arguments  is  (STRIP  (BAG)). 

3 .  Deduce 

•  DEDUCE  is  a  goal  class  of  rules  that  are  guaranteed  to  terminate 
quickly.  It  is  used  when  we  want  something  more  inquisitive  than  EXISTS 
but  less  timeconsuming  than  PROVE,  EQRULES,  or  INEQUALITIES. 

r 'EDUCE = 

(TUPLE  RELCHECK  ANDSPLIT  GR5PL1T  ORSPLITUANY  LTPLUS  F5UBTRACT1 
FSUDTRACT2  LTQPLUS  NOTATOn  CONSTCAR  CONSTCOR) ) 

We  have  already  described  RELCHECK. 

The  other  DEDUCE  rules  are  for  special  applications  and  are  discussed 
in  the  appropriate  sections. 

4 .  Simplification 

•  The  top-level  simplification  function  is  SIMPONE.  This  function 
does  not  try  to  simplify  its  argument  completely.  It  will  find  a  partial 
simplification;  repeated  applications,  if  necessary,  will  completely  sim¬ 
plify  the  expression. 

The  simplification  rules  may,  of  course,  be  added  by  the  user .  We 
expect  that  each  simplification  rule  should  make  the  expression  simpler 
in  some  sense.  Otherwise,  the  program  may  loop  interminably. 
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Sini’UfC={LAnBDA  ^GGALl  (FROG  (DECLARE  SiriPGOAL) 

(IF  (EQUAL  (5TVPE  ilGOALl) 

NLin&ER) 

THEN 
(FAIL) ) 

dlAEK  CGOALl  SillPLIFY?) 

KETQ  -SinPGOAL 
(ATTEUPT 

(GOAL  STOPRULES  «GOALi) 
ELSE 

(8TRY  STOPRULES 

(GOAL  SDOUNRULES 
8G0AL1] 

(PUT  SGOALl  SIMPLIFIED  SSiMPGOAL 
URT  ETERNAL) 

(RETURN  SSinPGOALJ 


SIMPONE  fails  if  it  cannot  simplify  its  argument  at  all.  It  treats  num¬ 
bers  as  being  completely  simplified  .  It  asks  the  user  for  permission  to 
go  ahead.  It  tries  a  goal  class,  TOPRULES,  on  the  expression. 

•  TOPRULES  is  a  set  of  rules  that  work  on  the  top  level  of  the  expres¬ 
sion  : 


I OFT-ULES 

(TIK-'IL  HASSIMP  FAILINTODOUMRULES  PLUSOF  TIMESOP  MIMUSOP 
FIFTHEMELGE  PAGAOP  SUBSTOP  EXPZERO  EXFEXP  SUBPLUS 
SLlBIlUn  GCDFQ  ACGH  C0N50IFF  DIFOIF  D  IFF  CONS  DIFFONE 
MAXFLUS  (lAXriNE  BAGSTRIP  ACCEX  EDNUMB) 


If  any  of  these  rules  apply,  SIMPONE  returns  the  simplified  expression 
as  its  value.  Otherwise,  it  tries  to  simplify  some  subexpression  of  the 
given  expression: 


66 


i n.ilJiirinLLS  =n'UF'Lt  AFiCSIiiF'  iliPSiiiP  BAGSITIP  SETSIMF)) 


Al-:r.;-.[fiP=(LAneDA  (-F  -K) 

(SLOFT  ''  (S:F  !;K)) 

(TUFit  2>;  (liSiriPorJE  ckj 


HlpA|I1P=[LAnBDA  (TUPLE  —X  -Y  -hZ) 

(TUriE  J5«K  {(iSiriPONE  ilY) 
2SZ) 

BACKTRACK']  ) 

RAGSinP=[LAf1BDA  (BAG  -X  — Y) 

(BAG  (fisinpoNE  m 
n\] 

BACKTRACK] 1 


!^E1SiriP  =  [LAriBDA  (SET  ^-Y) 

(SET  (KSinPONE  UX) 
5SY) 

BACKTRACK] ) 


The  DOWNRULES  simplify  a  complex  expression  by  simplifying  the  component 
parts  of  the  expression.  If  any  of  the  DOWNRULES  apply,  SIMPONE  applies 
the  TOPRULES  again  to  the  new  expression.  SIMPONE  calls  the  functions 
ASK  and  TRY  that  are  described  in  the  section  on  utility  functions . 


•  SIMPONE  puts  the  simplified  expression  on  the  property  list  of  the' 
original  expression.  In  this  way,  if  it  ever  comes  across  the  original 
expression  again,  one  of  the  TOPRULES,  HASSIMP,  will  immediately  know 
what  simplification  was  found  before. 


HAGS !f1P=  (LAMBDA  -K  (IF  (NOT  (IN  (SETQ  -X  (GET  8X  SIMPLIFIED)) 

(TUPLE  DONE  NOSUCHPRDPERTY) ) } 
THEN  SX  ELSE  (FAIL) 


•  If  the  expression  to  be  simplified  is  a  set,  tuple  or  bag  rather 
than  a  function  application,  none  of  the  TOPRULES  will  apply  to  it.  To 
avoid  the  cost  of  searching  for  a  match  among  all  the  TOPRULES,  the  rule 
FAILINTODOWNRULES  will  first  test  for  this  condition  and  cause  the  entire 
goal  statement  to  fail  should  it  arise: 
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l-AILItftODOUMRIJLtSi  (LAflRDA  .-X 

(IF  (IN  (?TYPE  i;X) 

(TUPLE  TUPLE  SET  BAG)) 

THEM 

(FAIL  GOAL) 

ELSE 

(FAIL! 


SIMPONE  win  then  apply  the  DOWNRULES  to  the  argument  to  see  if  any  of  its 
subexpressions  can  be  simplified  . 


•  One  of  the  most  general  TOPRULES  is  EQNUMB,  which  replaces  any  ex¬ 
pression  by  the  "smallest”  known  equal  expression: 


FQNUflB  =(LAriBDA  "X  (PROG  (DECLARE  BEST  EQ3ET) 

(IF  (EQUAL  (SETQ  -EQSET  (GET  SX  EQ) ) 
N03UCUPR0PERTY) 

THEN 
(FAIL) ) 

(SETQ  -BEST  (8SH0RTEST  8EQSET)) 

(IF  (EQUAL  8BEST  8X) 

THEN 

(FAIL) 

ELSE 

(RETURN  OBEST] 


The  "smallest"  element  of  a  set  is  computed  by  the  QA4  function  SHORTEST, 
described  among  the  utility  functions . 


If  EQNUMB  fails  to  find  a  smaller  representation  for  x,  it  fails. 


FlFTHENELSt  (LANBDA  (-F  (IFTHENELSE  -U  -X  -Y)) 

(’  (IFTHENELSE  814  (BF  8X) 
(BF  UY] 


FIFTHENELSE  moves  conditional  expressions  outside  of  function  applications. 


An  expression  of  the  form 


f(IF  w  THEN  X  ELSE  y) 


translates  into 


IF  w  THEN  f(x)  ELSE  f(y) 


The  remaining  rules  in  TOPRULES  are  discussed  in  the  sections  dealing 
with  special  subject  domains . 
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Reasoning  About  Numbers 


a .  Equality  and  Inequality  Rules 


•  EQTIMESDIVIDE  is  an  EQRULE .  It  means  that  to  prove  w  (x/y)*z, 
prove  w*y  =  x*z : 


hi.ll  IflbS[l]  V|DE=[LAneDA  (EQ  .-U  (iltlLS  (DIVIDES  -K  ^Y) 

—Z)) 

(GOAL  3EI>;I.IL.E:S  (EQ  (TIHES  8Y  8U) 

(TIMES  8X  SaZ))) 

BACKTRACk']  ) 


Some  inequality  rules  that  know  about  numbers  are  presented  below. 


•  LTQPLUS  says  that  to  prove  i  ^  j+k,  prove  i  g  j  and  0  s  k: 


I  lOFLUSs  [LAMBDA  (LTQ  -1  (PLUS  -J  -K)) 

(GOAL  8DEDI.JCE  (AND  (LTQ  81  PJ) 
(LTQ  0  SKI)) 

BACKTRAGfC]  ) 


First,  the  rule  attempts  to  prove  that  i  g  j  and  0  g  k.  If- either  of 
these  proofs  is  unsuccessful,  then  the  backtracking  mechanism  will  inter¬ 
change  the  bindings  of  the  arguments  of  LTQPLUS.  This  then  leads  to  an 


attempt  to  prove  i  £  k  and  0  £  j . 


•  LTPLUS  is  the  analogue  of  LTQPLUS  for  LT: 


LTPLUS=  [LAMBDA  (LT  (PLUS  ^K) ) 

(GOAL  8DEDUCE  (AND  (LTQ  81  8J) 
(LT  8  8K)I) 

BACKTRACK] ) 


It  means  that  to  prove  i  <  j+k,  prove  i  ^  j  and  0  <  k.  It  can  backtrack 
to  reverse  the  roles  of  j  and  k. 


FSUBTRACTl  and  FSUBTRACT2  allow  us  to  make  deductions:  for 


example,  to  prove  x-y  £  z  try  to  prove  x  ^  y+z . 
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r':-UBTr;AC:TJ=(LAflBDA 


{•  F  (SUFOiVAfT  <-X  -Y) 

-Z) 

(GOAL  iiGuALFLASS  (i'F  )iK  (PLUS  UY  8Z] 


I  •.'.Ur.'TRACl 


=(LAnBDA 


(.-F  ‘-K  C-.iJ^-TRAGT  -Y  -Z)) 

(GOAL  !;(';0ALCLASS  (8F  (PLUG  8X 

8Y] 


az) 


•  INEQMONOTONE  says  that  to  prove  w+x  ^  y+z,  prove  w  ^  y  and 
X  <  z  or  w  <  z  and  x  ^  y . 


FQiMEQnriNDTDNE  tLAUBDA  (-L  (PLUG  .-II  -X) 

(PLUG  -V  -Z)) 

(PRDG  lOGCLARE) 

(SA&L'  PROVE  ('  (SL  8U  8Y)) 
AND 

(•  (8L  8X  8Z)) 

?) 

(COAL  liGGALCLASS 

(AND  («L  8U  8Y) 

(8L  8X  8Z] 

BACKTRACK) ) 


•  The  rule  INEQTIMESDIVIDE  is  similar  to  EQTIMESDIVIDE  except 
that  it  must  check  that  the  denominator  is  nonnegative  before  multiplying 
out : 


INEQTinESClIVIDE=tLAriBDA  (-F  -U  (TINES  (DIVIDES  .-X  .-Y) 

[PROG  (DECLARE) 

(GOAL  8DEDUCE  (LT  0  8Y) ) 
(GOAL  8 INEQUAL  I  TIES 

(8F  (TIMES  av  8U) 
(TIMES  8X  88Z] 

BACKTRACK] ) 


This  rule  says  that  to  prove  w  <  (x/y)*z,  say,  in  the  case 
that  0  <  y,  try  to  prove  w+y  <  x*z. 

b .  Numerical  Demons 

•  When  X  s  y  is  asserted,  assert  that  y  <  x: 
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lUHtM  EXP  (GTQ  -X  '-VI 

INniCATOn  nODELVALUE  IIIEM  (ASSERT  (LTQ  SY  KX) 

URT  8VERICON] 

These  demons  make  their  assertions  with  respect  to  the  current  context, 
VERICON . 

•  Whenever  x+y  s  x+z  is  asserted,  we  want  to  conclude  that  y  e  z 


(UHEM  EXP  (LTQ  (PLUS  -X  -Y) 
(PLUS  -X  <-Z)) 

INDICATOR  nOOELVALUE  THEN 
(ASSERT  (LTQ  RY  52) 

URT  ttVERICON] 


<»  Whenever  w-x  £  y  is  asserted,  assert  w  s  x+y,  simplifying  the 
right  side,  if  possible: 


(UHEN  EXP  (LTQ  (SUBTRACT  -U  ‘-X) 

-Y) 

INDICATOR  nOOELVALUE  THEN 
(PROG  (DECLARE  RTS  IDE) 

[SETQ  -RTSIDE 

(5TRYALL  IIPLUSRULES 

('  (PLUS  SY  8X1 
(ASSERT  (LTQ  SU  8RTSIDE) 

URT  SVERICON) 


•  Whenever  (w-x)+x  ^  y  is  asserted,  then  assert  w  ^  y: 


(UHEN  EXP  (LTQ  (PLUS  (SUBTRACT  *-U  ^X) 

^X) 

-Y) 

INDICATOR  nODELVALUE  THEN 
(ASSERT  (LTQ  SU  5Y) 

URT  SVERICONI 


Certain  demons  are  intended  exclusively  for  the  integer  domain 
•  X  <  y  Z)  x+1  ^  y: 


(UHEM  EXP  (LT  -X  -Y) 

INDICATOR  nODELVALUE  IHKN 
(ASSERT  (LTQ  (PLUS  SX  1) 
SY) 

URT  SVERICONI 


•  X  >  y  z>  y+1  s  x: 

(UHEN  EXP  (GT  .-X  -Y) 

INDICATOR  NOOELVALUE  THEN 
(ASSERT  (LTQ  (PLUS  SY  1) 
SX) 

URT  SVEPICON] 
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Whenever  w-x  <  y  Is  denied,  deny  w  ^  y+x-1,  simplifying  if  possible 


(UHEN  EXP  (LT  (SUBTRACT  -U  -X) 

•-Y1 

INOICATOR  nOPELVALUE  PUTS  FALSE  THEN 
(FROG  (DECLARE  RTSIDE) 

[5ETQ 
-RTS  IDE 

(» TRY ALL  UPLUSRULE5 

(•  (PLUS  SY  SX 

(MINUS  11 

(DENY  (LTQ  «U  BRTSIDE) 

URT  3VERICQN] 


c  .  Numerical  Simplification 

Much  of  the  knowledge  the  system  has  about  numbers  is  embedded 
in  the  simplifier.  For  efficiency,  these  rules  have  been  arranged  hier¬ 
archically.  For  example,  only  one  rule,  PLUSOP,  in  TOPRULES  deals  with 
sums . 

P[  USOF'^  (LAMBDA  (FANP  *-Y  (PLUS--X)) 

(8TRVALLFA1L  BPLUSRULES  BY]) 

However,  this  one  rule  coordinates  a  multitude  of  other  rules.  All  the 
rules  that  operate  on  plus  expressions  are  in  the  goal  class  PLUSRULES. 

F'l  U3F:iiL.ES=  (TUPLE  F'LUSFMPTY  PLUSSINGLE  PLUS2ER0  PLUSPLU5 
FLUSMIMUS  PLUSDIFFERENCE  PLUSCDMBINE 
FLUSNUMBER) ) 

The  strategy  PLUSOP  uses  is  to  apply  all  the  PLUSRULES  to  its  argument 
until  no  further  simplification  is  possible.  (The  function  TRYALLFAIL> 
that  expresses  this  strategy,  is  described  among  the  utility  functions.) 
If  PLUSOP  can  find  no  simplification  at  all,  it  fails. 

Most  of  the  PLUSRULES  are  quite  simple. 

•  The  sum  of  the  empty  bag  is  0: 
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HJj;-:EriPTY=[LAMBDA  (PLUS) 
0]  ) 


•  The  sum  of  a  bag  of  one  element  is  that  element  itself 

PLUSSHICLE=fLAnBDA  (PLUS  -X) 

SK]  ) 

(i  .e.,  +x  =  x) 

•  x+0  =  +x  : 

PLUSZEriO=(LAMBDA  (PLUS  0) 

(’  (PLUS  niX] 

Note  that  this  rule  implicitly  says 

0+x  =  +x 

x+O+y  =  x+y 

x+y+O+z  =  x+y+z  , 

and  so  forth  because  PLUS  takes  a  bag  as  its  argument. 

•  ((x^+x^+. . .)+y^+y^+. .  ,)  =  (x^+x^+. , ,+y^+y^+ . .  .)  : 

PLLISPLUS=  (LAMBDA  (PLUS  (PLUS  <-^X) 

(’  (PLUS  ttttX  JSY] 


•  x4-(-x)+y  =  +y 


PLUSM I NUS= (LAMBDA  (PLUS  -X  (MINUS  -X) 
(’  (PLUS  ttSY] 


•  x+(y-z)+w  =  x+y4-w+(-z) 
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PLUSOIFFEPENCE  MLAneOA  (PLUS  -X  (SUBTRACT  *-Y  -Z) 

(3 TRY  (TUPLE  PLUSfUM/S) 

('  (PLUS  3Y  3X  nU  (niMUS  SZ] 


Note  that  PLUSDIFFERENCE  recommends  that  PLUSMINUS  be  attempted  immediately 
afterward.  This  is  merely  advice;  if  PLUSMINUS  does  not  apply,  nothing 
is  lost.  (TRY  is  described  in  the  section  on  utility  functions.) 


•  x+x+y  =  2*x+y 


PLUSCOriBlME^tLAMBDA  (PLUS  -X  .-^Y) 

(STRY5UD  'STiriESnULES  ON 
(’  (TIMES  2  2X)) 

IN 

(•  (PLUS  (TIMES  2  8X) 


Note  that  PLUSCOMBINE  recommends  that  the  2*x  term  be  simplified  if 
possible . 


•  If  two  elements  of  a  plus  expression  are  syntactically  numbers, 
PLUSNUMBER  will  add  them  up: 

88Y] 

PLUSNUMBER=[LAn0DA  (PLUS  ^X  -Y  -^2) 

(PROG  (CECLARE  SUM) 

(8IN5I5T  (EQUAL  (STYPE  8X) 

NUMBER)) 

(8INS1ST  (EQUAL  (STYPE  8Y) 

NUMBER) ) 

(SETH  -SUM  (PLUS  8K  ttY) ) 

(RETURN  (PLUS  8SUM  C8Z) ) ) 

BACKTRACK']  ) 


•  The  rule  TIMESOP  is  strategically  similar  to  PLUSOP: 


TIMFsOP  4LAM8DA  (PAND  -Y  (TIMES  -^-X)  ) 

(8TRYALLFAIL  STIMESRULES  8Y] ) 


It  will  apply  all  the  TIMESRULES  to  the  expression  in  question,  TIMESRULES 
is 
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TIflESRIJLES  = 

(TUPLE  linESEMPTV  TIME5SIMGLE  TiriESZERD  TIflESONE  TlflESPLUS 
TJMESTinES  CANCEL  EQRULE  TIMESEXP  TlMESDl VIOEONE)  ) 


•  The  product  of  the  empty  bag  is  1: 


TIMESEf1PTY=[LAriBDA  (TRIES) 

D) 


•  The  product  of  a  bag  of  one  element  is  that  element  itself 


TIMESSIMGLE=lLAnBDA  (TRIES  ^X) 

8X3  ) 


•  0*y  =  0 


T1MESZER0=  [LAMBDA  (TRIES  0  --Y) 
03) 


•  l*x  =  X 


TR1ESL)NE=  (LAMBDA  (TRIES  1  »-^X) 
(’  (TIMES  88X3 


Recall  that  these  rules  also  imply 


x*l*y  =  x*y 
x*0*y*2;  =  0 

and  so  forth . 


•  (x+y)>f'z  =  x*z+(+y)*z  (distribution  law): 


T I nESPLUS= (LAMBDA 
(TIMES  (PLUS  <-X  --Y) 

--Z) 

(8TRY  8PLUSRULES  (8TRYSUB  CPLUSRULES  ON  (’  (PLUS  8SY)) 

IN  ■ 

(’  (PLUS  (TIMES  OX  S8Z) 

(TRIES  (PLUS  88Y)  ' 
88Z] 


(Some  simplification  is  attempted  immediately  on  y  and  on  x*z  +  y*z , 
TRYSUB  is  explained  in  the  section  on  utility  functions.) 
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(x  *x  *. . .*y  *y  *. . .) 
12  12 


linESTinE5=(LAriBDA  (TIMES  (TIMES 

--Y) 

(•  (TIMES  «1IK  IMIY] 


•  x*(l/y)*z  =  (x/y)*z 


■^iMESn  I  V]ClEaNE=  (LAMBDA  (TIMES  -X  (DIVIDES  1  f-Y) 

*-*-2 ) 

('  (TIMES  (DIVIDES  JtX  «Y) 
1102] 


•  x*(y/x)*z  =  y*z 


I -.AMCEL^ (LAMBDA  (TIMES  -X  (DIVIDES  ^Y  ^X) 

<--2) 

(•  (TIMES  5Y  552] 


2 

•  x*x*y  =  X  *  y 


S(JRULE=  (LAMBDA  (TIMES  ^X  -X  -<-Y) 

(5TRY  (TUPLE  TIMESSIMGLE) 
(’  (TIMES  (EXP  5X  2) 
55Y] 


n  n+1 

•  x*x  *y  =  X  *y  : 

TIMESEXPdLAMBDA  (TIMES  ^X  (EXP  -X  -N) 

f-Y) 

(5TRYSUB  5PLU5RLILES  ON  (’  (PLUS  8N  D) 
IN 

('  (TIMES  (EXP  SX  (PLUS  5N  D) 
55Y] 


•  To  the  reader  who  has  gotten  this  far,  MINUSOP  will  be  self- 
expXanatory: 


M I NUS0P=  (LAMBDA  (MINUS  f-X) 

(GOAL  (TUPI.E  MIMUSZERO  MINUSMINUS  MINUSPLUS) 
(MINUS  SX] 
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Note  the  MINUSOP,  unlike  PLUSOP  and  TIMESOP,  does  not  apply  all 
the  rules  to  the  expression,  but  will  return  the  value  of  the  first  rule 
that  does  not  fail. 

•  -0=0  : 


niNUSZERO=[LAnODA  (nil-iUS  0) 
0] 


•  -(-x)  =  X 


niNH5riINU5=  [LAMBDA  (MINUo  (M!NU5  *-X)) 

SX] 


•  “(x+y)  =  (-x)+(-y)  : 

f1 1 NLISPLU.S=  (LAMBDA  (MINUS  (PLUS  ^X  ^-Y)) 

(STRY  aPLUSRULES  (PLUS  (MINUS  «X)  • 

(MINUS  (PLUS  88Y] 

At  present  there  are  only  two  subtraction  rules,  and  so  we  do 
not  combine  them  into  one  operator; 


•  x-y  =  x+(-y) 


'■••;ilEFLU3=(LAMBDA  (SUBTRACT  <-X  *-Y) 

(«TRY  8PLUSRULES  (’ 


(PLUS  3X  (MINUS  8Y] 


•  If  X  and  y  are  both  numbers  and  not  variables,  SUBNUM  actually 
evaluates  x-y: 

SUBNUM=( LAMBDA  (SUBTRACT  -X  -V) 

(PROG  (DECLARE) 

{81N5I5T  (AND  (EQUAL  (STYPE  8X  NUMBER)) 

(EQUAL  (STYPE  8Y) 

NUMBER))) 

(RETURN  (=  (SUBTRACT  8X  ttYl 


The  "="  sign  forces  the  system  to  evaluate  what  it  would  otherwise  merely 
instantiate.  INSIST  is  another  utility  function. 
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Two  more  rules  about  exponentiation  are  given  below. 


0 

X  =  1 


:  LXPZtRD  =(LAriBDA  (EXP  0) 
1]  ) 


y  z  y+z 
•  (x  )  = 


i-XPEXR=  (LAriBDA  (EKP  (EXP  -X  -Y) 

(STRYSUB  STiriESRLILES  ON  (’  (TIHES  8Y  SZ) ) 
IN 

(’  (EXP  ilX  (TldES  8Y  8Z] 


Note  that  EXPEXP  recommends  that  the  TIMESRULES  be  applied  to 
the  product  y*z;  this  is  heuristic  advice  that  could  have  been  omitted. 

•  (GCD  X  x)  =  X 


I -COE Q  =l  LAriBDA  (GCD  -X  -Y) 

(PROG  (DECLARE) 

(GOAL  liDEDUCE  (ED  -X  -Y) ) 
(RETLIh'M  SX] 


The  GCD  is  the  greatest  common  divisor. 


6 .  Reasoning  About  Arrays 

Most  of  the  knowledge  about  arrays  embedded  in  the  system  is  expressed 
as  simplification  rules. 

•  (ACCESS  (CHANGE  A  I  T  )  I)  =  T 

I  7^  J  3  (ACCESS  (CHANGE  A  I  T)  J)  =  (ACCESS  A  J)  : 


ACCH=( LAMBDA  (ACCESS  (CHANGE  *-A  -i  -T) 

-J) 

(PROG  (DECLARE) 

(ATTEMPT  (GOAL  ttOEDUCE  (EQ  81  8J)) 
THEN 

(RETURN  15T)) 

(GOAL  8DEDUCE  (NEQ  81  8J)) 

(RETURN  (ACCESS  8 A  ttj] 
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(MAXA  A  I  J+1)  =  A[J+1] 


On  the  other  hand,  If 


(MAXA  A  I  J)  >  A[J+1]  , 


then 


(MAXA  A  I  J+1)  =  (MAXA  A  I  J) 


nAKFLlJ5=(  LAMBDA 

(MAXA  -A  -]  (PLUS  -J  D) 

(PROG  (DECLARE) 

[ATIEMPT  [GOAL  (lOEDUCE  (LTQ  (MAXA  DA  !tl  «J) 

(ACCESS  «A  (PLUS  ej  1] 

THEN 

(RETURN  (ACCESS  1!A  (PLUS  JIJ  1] 

(GOAL  SDEDUCE  (LT  (ACCESS  U  (PLUS  SJ  D) 

(MAXA  DA  in  i;j))) 

(RETURN  (MAXA  DA  D1  11  J] 


•  Recall  that  (BAGA  A  I  J)  is  the  bag  [Afi],  A[i+1],  ...  A[j ]1 .  Be¬ 

cause  of  the  crucial  part  this  function  plays  in  assertions  about  sort¬ 
like  programs,  we  have  many  rules  for  it. 

BAGARULES  = 

(TUPLE  DAGAFLLIS  BAGAEMPTY  BAGA  I  1  ARCS  IMP  BACH  BAGEX  BAGEXl 
PAnAillMUS  PAGAl.OUERPl  US  BAW-.XCOriPL  i  GATED) ) 


•  These  rules  are  controlled  by  the  rule  BAGAOP,  one  of  the  TOPRULES : 


BAGAC)P=  [LAMBDA  (PAND  -Y  (OAGA  -^X)) 

(STRYALLFAIL  SBAGARULES  DY] ) 

Thus,  the  BAGARULES  will  be  tried  whenever  we  are  simplifying  an  expres¬ 
sion  of  the  form  (BAGA  A  I  J)  . 


•  If  I  £  J+1,  then  (BAGA  A  I  J+1)  =  (BAG  A[j+1  ]  (STRIP(BAGA  A  I  J))): 


HAnAPLUS=(LAMBOA  (BAGA  -A  -1  (PLUS  1  ^J)) 

(FROG  (DECLARE) 

(GOAL  SDEDUCE  (LTQ  SI  (PLUS  1  BJ))) 
(RETURN  (BAG  (ACCESS  8A  (PLUS  BJ  D) 
(STRIP  (BAGA  SA  81  BJ] 
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ACCH  is  one  of  the  TOPRULES,  as  are  the  rules  below,  ACCEX,  MAXONE,  MAX,, 
and  MAXPLUS . 


•  (EXCHANGE  A  I  J)  is  a  higher  level  function  whose  output  is  the 
array  A  with  the  values  of  A[I]  and  A[ J ]  exchanged.  The  value  of 
(ACCESS  (EXCHANGE  A  I  J)  K)  depends  on  whether  or  not  K  equals  I  or  J, 
i.e.,  whether  the  element  here  accessed  was  affected  by  the  exchange. 

If  K  =  I,  the  value  is  A[j].  If  K  =  J,  the  value  is  A[i].  If  K  is 
neither  I  nor  J,  the  value  is  the  original  value  of  A[K1,  since  that  lo¬ 
cation  has  not  been  affected  by  the  exchange.  The  rule  fails  if  it  can¬ 
not  be  determined  that  K=  I  or  K= J .  This  information  is  embodied  in 
the  rule  ACCEX: 


ACCEX=  (LAriBOA  (ACCESS  (EXCMANuE  ^A  -J  t-J) 

-O 

(PRQG  (DECLARE) 

(ATTEMPT  (GOAL  ((DEDUCE  (EQ  3K  81)) 
THEM 

(REllJHN  (ACCESS  8A  SJ))) 
(ATTEMPT  (COAL  ((DEDUCE  (EQ  8IC  8J) ) 
THEN 

(RETURN  (ACCESS  8A  SI))) 
(GOAL  ((DEDUCE  (AMD  (MEQ  SK  81) 

(MEQ  SIC  SJ))) 
(RETURN  (ACCESS  KA  )(IC] 


•  The  maximum  of  an  array,  MAXA,  is  a  function  of  three  arguments: 
the  array,  the  lower  bound,  and  the  upper  bound. 


(MAXA  A  I  J)  =  (MAX  A[I],  A[I+1],  ...,  A[J]) 

(MAXA  A  I  I)  =  A[l]: 


MAKONE=  (LAMBDA  (MAXA  -A  .-1  -J) 

(PROG  (DECLARE) 

(COAL  SOEDIJCE  (EQ  81  8J}) 
(RETURN  (access  SI] 


•  If  (MAXA  A  I  J)  £  A[J+1]  , 

then 
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If  I  <  J,  (BAGA  A  J  I)  is  the  empty  bag: 


r.Ai^MRnpT'r 


(LAriROA  (BAr;A  -A  ^..1  -!_) 

(ppnr.  I'DL'.  larl) 

(GriAl.  'IDEOl'C.E  (LT  «i  lU)) 
(RETlJf'ii  (BAG] 


•  (BAGA  A  I  I)  is  [A[l1]: 


LSAGAn=  (LAMBDA 


(BAGA 

(PROG 


<.A  -I  -J) 

I  DECLARE) 

(GOAL  IIOEDLICE  (EQ  «1  50') 
(RETURN  (BAG  (ACCESS  CA  fi 


) 


•  If  I  s  J,  then  (BAGA  A  I  J)  =  (BAG  (STRIP  (BAGA  A  I  J-1) )  a[J]): 


fV\i;;Aniriiis=(LAMBDA 
(BAGA  -A  -I  »-J) 

(PROG  (DECLARE) 

(ttiNSIST  (EQUAL  (5TVPE  ttJ) 

IDENTi ) 

(GDAL  5DEDUCE  (LTQ  01  fiJ) ) 

(RETURN  (BAG  (ACCESS  L'A  OJ) 

(STRIP  (BAGA  «A  «I  (SUBTRACT  8J  1] 


Since  this  rule  would  apply  so  often,  it  is  restricted  by  forcing  J 
to  be  an  identifier  rather  than  a  complex  expression. 


If  L  :S  M,  then 

(BAGA  A  L  M)  =  (BAG  A[L]  (STRIP  (BAGA  A  L+1  M) ) ) 


BAUALnilERFlUS= 

(LAMBDA  (BAGA  .  ARNAME  -L  ‘-Ml 

(PROG  (DECLARE  F  LOUER  UPF'I  R  U) 

(EXISTS  (‘-F  .-<-V  (STRIP  (BAGA  CARNAME  “LDUER 

-UPPER)) 

‘-«-U) ) 

(GDAL  itDEDUCE  (EQ  OLONER  (PLUS  1  8L))) 

(RETURN  (BAG  (ACCESS  OARNAME  SL) 

(STRIP  (BAGA  UARNAME  (PLUS  1  8L) 
OM] 


This  rule  tries  to  determine  if  its  application  is  desirable  by 
checking  in  the  model  for  any  relationship  involving  an  array  segment  with 
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lower  bound  equal  to  L+1;  if  no  such  relationship  exists,  it  is  doubtful 
that  the  proposed  simplification  will  lead  to  a  proof. 

•  If  I  ^  J  s  K,  then 

(BAGA  (CHANGE  A  J  T)  I  K)  = 

(BAG  T  (STRIP  (BAGA  A  I  K) ) )  ~  (BAG  AfJ]) 

On  the  other  hand,  if  j  <  I  or  K  <  J, 

(BAGA  (CHANGE  A  J  T)  I  K)  =  (BAGA  AIK) 

(The  notation  ^  means  the  difference  between  two  bags.)  In  other  words, 
making  an  assignment  to  an  array  element  whose  index  is  outside  the 
bounds  of  a  segment  does  not  affect  the  segment.  However,  if  the  index 
is  within  bounds  of  the  segment,  then  the  corresponding  bag  will  lose 
the  old  value  of  the  array  element  but  gains  the  new  value: 


BALM  = 

(LAriE-DA 

(BAi;A  (CHANGE  4-J  f-T) 

-I  -K) 

(PRDG 

(DECLARE) 

[ATTEI1PT 

(GOAl.  8DEDUCE  (LTQ  81  8J  8K)) 

THEN 
(RETURN 
(  = 

(8TRV 

SO  I  FERULES 
(8TRYSLIB 

(TUPLE  ACCH  ACCEX) 

DM 

(•  (ACCESS  SA  8J)) 

IN 

(8TRYSUB  8BAGARULES  ON  (’  (BAGA  8A  81  SIC)) 

IN 

(•  (DIFFERENCE  (BAG  8T 

(STRIP  (BAGA  8A  81  8K)1) 
(DAG  (ACCESS  8A  8J] 

(GOAL  8nED(.ICE  (OR  (LT  8J  81) 

(LT  8K  8J))) 

(RETURN  (BAGA  8A  81  8K] 
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The  rule  BACH  contains  many  recommendations  about  possible  future  simpli¬ 
fications.  These  recommendations  are  included  to  promote  efficiency; 
the  simplifier  would  eventually  try  the  recommended  rules  even  if  the 
advice  were  omitted.  The  advice-giving  functions  TRY  and  TRYSUB  are  de¬ 
scribed  in  the  section  on  utility  functions. 


•  As  mentioned  above,  (EXCHANGE  A  I  J)  is  the  array  A  with  the  values 
of  Afl]  and  A[J]  interchanged.  If  I  and  J  are  either  both  inside  or 
both  outside  an  array  segment,  then  the  exchange  operation  has  no  affect 
on  the  bag  corresponding  to  that  segment: 


(LAMBDA  (BADA  (EXCHANGE  -A  -I  t-J) 

-L  -  n) 

(PROG  (DELI  ARE) 

(GOAL  IIGEDLICE  (LTO  (tl  «J) ) 
(ATTEMPT 
(GOAL  aOEDUGE 

(DR  (AND  (LTQ  »L  111) 
(LTQ  3J  5ri)) 
(LT  6J  JiL) 

(LT  Un  )!i) 

(AND  (LT  51  5L) 
(LT  6M  flj] 

THEM 

(RETURN  (BAGA  5A  5L  SM) ) 

ELSE 

(FAIL] 


For  simplicity,  BAGEX  requires  that  I  £  J. 


•  If  elements  A[l]  and  A[J]  are  exchanged,  and  if  J  is  in  the  array 
segment  and  I  is  not,  or  if  I  is  in  the  segment  and  J  is  not,  then  the 
corresponding  bag  is  indeed  affected  by  the  exchange  operation.  For 
instance,  in  the  case  in  which  J  is  in  the  segment  and  I  is  not,  if  the 
segment  is  bounded  by  L  and  M,  the  new  bag  is 


(BAG  (STRIP  (BAGA  A  L  J-1) 
A[I] 

(STRIP  (BAGA  A  J+1  M) ) ) 
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BAGCXl = 

(LAtlBDA 

(BAGA  (EXCHANGE  -A  -I  ‘-J) 

-L  -M) 

(PROG  (DECLARE) 

(GOAL  15DEDUCE  (LTO  !tl  1!J)) 

[ATTEMPT  (GOAL  ODEDUCE  (AND  (LT  ttl  CL) 

(LTD  CL  SJ) 

(LTQ  CJ  CM)}) 

THEN 

(RETURN  (BAG  (STRIP  (BAGA  CA  CL  (SUBTRACT 

C  J  1 ) )  ) 

(ACCESS  CA  Cl) 

(STRIP  (BAGA  CA  (PLUS  1  SJ) 
CM] 

(ATTEMPT  (GOAL  SDEDUCE  (AND  (LT  CM  CJ) 

(LTD  CL  Si) 

(LTQ  SI  8M))) 

THEN 

[RETURN  (BAG  (STRIP  (BAGA  CA  CL  (SUBTRACT 

81  1))) 

(ACCESS  CA  CJ) 

(STRIP  (BACA  SA  (PLUS  1  SI) 
SM] 


ELSE 

(FAIL) 


•  BAGEXCOMPLICATED  handles  the  case  in  which  it  can  be  determined 
that  one  of  the  exchanged  elements  is  within  or  outside  the  array  seg¬ 
ment,  but  the  location  of  the  other  array  element  is  uncertain.  The 
result  is  then  a  conditional  expression.  For  example,  if  J  is  known  to 
be  outside  the  segment  but  I  is  only  known  to  be  greater  than  or  equal  to 
the  lower  limit  L,  the  result  is 

(IF  M  <  I  THEN  (BAGA  A  L  M) 

ELSE  (BAG  (STRIP  (BAGA  A  L  I-l)) 

A[J] 

(STRIP  (BAGA  A  I+l  M)  ) ) ) 
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DAC-rxronPLirATEO^ 

(LAI  iL[JA 

(BA[>A  (OLMANGE  -A  -i  -Jj 
-L  -tl) 

(PRUi;  1  PEI  LAKE) 

(GOAL  ODEDMCE  (LTQ  !il  U  J) ) 

lATTETiPT  (GOAL  SPElXirE  (AMO  (LTO  SL  (M ) 

(LTO  (!n  «J))) 

THEM 

(RETUHM  (IFTHEMELGE 
(LT  Un  Ki  ) 

(BAGA  KA  UL  UM) 

(BAG  (STRIP  (BAGA  1(A  SL  (SUBTRACT  SI  1))) 
(ACCESS  ItA  SJ) 

(STRIP  (BAGA  3A  (PLUS  1  81) 

SM) 

(ATTEMPT  (GOAL  30EDUCE  (AMO  (LTQ  SJ  SM) 

(LTQ  SL  SJ))) 

THEN 

[RETURN  (iFTHENELSE 
(LTQ  SL  S!) 

(BAGA  SA  SL  SM) 

(BAG  (STRIP  (BAGA  3A  SL  (SUBTRACT  SJ  1))) 
(ACCESS  SA  SI) 

(STRIP  (BAGA  SA  (PLUS  1  8J) 

SM] 

ELBE 

(FAIL) 


BAGEXCOMPLICATED  comes  after  BAGEX  and  BAGEXl  in  the  goal  class  BAGARULES 
because  we  prefer  the  definite  answer  they  provide  to  the  conditional  ex- 
pression  returned  by  BAGEXCOMPLICATED, 


All  the  rules  in  this  section  have  been  simplification  rules.  There 
also  are  two  inequalities  rules  that  pertain  to  arrays,  INEQSTRIPTRAN  and 
INEQSTRIPSTRIP . 


•  To  prove  that  every  element  in  an  array  segment  is  less  than  (or  less 
than  or  equal  to)  some  quantity  C,  find  an  array  segment  that  properly  con 
tains  the  given  segment  such  that  every  element  in  the  larger  segment  is 
less  than  some  element  D  that  is,  in  turn,  less  than  or  equal  to  C: 


85 


INEaSTR]PTRAN= 

(LAMRDA  (-F  (STRIP  (BAGA  ^ARNAflE  <-L  -f1)) 

-C) 

(PROG  (DECLARE  LOUER  UPPER  0) 

(EXISTS  (»F  (STRIP  (BAGA  UARNAME  ^LOUER  -UPPER)) 
-D) ) 

(GOAL  SDEOUCE  (AND  (LTD  SLOUER  8L) 

(LTD  Sfl  5UPPER) 

(LTD  80  8C] 


To  prove  some  ordering  relation  <  or  between  all  the  elements  of 


two  array  segments,  S  and  S  ,  find  relations  of  the  same  sense  involving 

1  2 

S  '  and  C,  and  involving  D  and  S  Then  show  that  S  ‘  and  S  '  contain  S 
1  2  12  1 

and  respectively,  and  that  C  is  less  than  or  equal  to  D. 


INEQSTRIPSTRIP= 

(LAMBDA  (-F  (STRIP  (BAGA  -A  -1  -J) ) 

(STRIP  (BAGA  -A  -K  -L) I ) 

(PROG  (DECLARE  LOUERl  UPPERl  LDUER2  UPPER2  C  0) 

(ATTEMPT  (EXISTS  (8F  (STRIP  (BAGA  8A  -LDUERl 

-UPPERl ) ) 


-O) 

[EXISTS  (OF  -0 

(STRIP  (BAGA  8A  -LDUER2 
-UPPER2I 

(GOAL  8DEDUCE  (AND  (LTD  8LDUER1  81) 
(LTQ  8J  SUPPER!) 
(LTD  8LDUER2  8K) 
(LTD  8L  8UPPER2) 
(LTQ  8C  SO))) 

ELSE 

(FAIL) 


7 .  Reasoning  About  Bags 

We  have  accumulated  a  number  of  rules  about  bags  .  Many  of  these 
rules  have  set-theoretic  counterparts,  which  could  have  been  included, 
but  we  have  needed  only  bags  in  our  proofs. 

We  use  the  QA4  function  DIFFERENCE  to  mean  the  difference  between 
bags,  written  informally  as 

•  (BAG  X  y)  ~  (BAG  x)  =  (BAG  y) 

l)IFFXX=  (LAMBDA  (DIFFERENCE  (BAG  -X  — Y) 

(BAG  -X)) 

(BAG  88Y] ) 
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cons(x,  y 


z)  =  cons(x,y)  ~  z: 


i.'OI-JCDIFF  lLAriCDA={rOM'-.  -K  (DlFFEnfiflL E  -Y  —Z) ) 
(’  miFFEREfCE  ICX'NS  ax  KY) 
il8Z] 


(x~y)  ~z  =  x~.y~z 


DIFDIF=(LAnDDA  (DIFFEnENCE  (DIFFERENCE  ‘-X  *-^Y) 
(’  (DIFFERENCE  itX  linv  nUZI 


Gons(x,y)  ~  (BAG  x)  —  u  =  x  ~  u 


fiIFFr.:DNS=(LAribDA  (DIFFERENCE  (CONS  <-X  ^Y) 

(BAD  ►-X) 

(a TRY  (TUPLE  DIFFDNE) 

('  (DIFFERENCE  SY  UU] 


•  (DIFFERENCE  x)  is  taken  to  be  x  itself ; 


niFFONE- ILAURDA  (DIFFERENCE  eX) 
3X] ) 


(BAG  (strip  x) )  =  x: 

EiAG:-TRIP=[LAriBDA  (BAD  (STRIP  »-X)) 
8X]  1 


8 .  Reasoning  About  Substitutions 

The  rules  in  this  section  were  added  to  prove  assertions  about  the 
pattern  matcher  and  the  unification  algorithm. 

•  An  atom  is  either  a  variable  or  a  constant; 

— ivar(x)  A— iconst(x)  zD  — ,  Atom(x)  ; 
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(JIITATOft  (LAf1&GA  (NDT  (ATOfl-K)) 

(FROG  (DECLARE) 

(E>:iGTS  (MOT  (V'AR  UX)  )  ) 
(EXISTS  (fiOT  (CONST  ttX] 


•  If  an  expression  is  made  of  constants,  so  is  the  car  and  the  cdr  of 
the  expression; 

CONSTCAR^fLAriDOA  (CONSTEXP  (CAR  -X)) 

(EXISTS  (CONSTEXP  KX] 

(:DMSTCL)R=  (LAMBDA  (CONSTEXP  (CDR  f-X) ) 

(EXISTS  (CONSTEXP  ItX] 


NOTATOM,  CONSTCAR,  and  CONSTCDR  are  DEDUCE  rules . 


•  The  empty  substitution  does  not  change  the  expression: 

S0B5TEMPTY=  [LAMBDA  (VARSUBST  EMPTY  f-X) 

m ) 


•  No  substitution  changes  an  expression  made  up  entirely  of  constants: 


SUBSTCrjNST=CLAMBOA  (VARSUBST  «-3  .-Y) 

(PROG  (DECLARE) 

(GOAL  JiOEDUCE  (CONSTEXP  SY) ) 
SY] ) 


SUBSTEMPTY  and  SUBSTCONST  are  simplification  rules. 


•  To  prove 


varsubst(s,  car(x))  =  car(y) 


prove 


varsubst(s , x)  =  y 


SUDSTCAR=(LAnODA  (EQ  (VARSUBST  -SI  (CAR  ^X)) 

(CAR  -Y)) 

(GOAL  JJEQRULES  (EQ  (VARSUBST  »S1  8X) 
SY] 


•  Similarly,  to  prove 

varsubst(s,  cdr(x))  ■  cdr(y) 


prove 


varsubst (s , x)  =  y 
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SllPSTr:DR=  (LAriBDA  (tQ  fVARSUBST  -SI  (CDR  -K) ) 

(CDR  -Y)) 

IGDAL  SLQflliLES  (EG  (VARSUBST  SSI  8X) 
SY] 


•  To  prove 


varsubstCs,  x) 

where  x  and  y  are  nonatomic,  prove 

varsubst(s,  car(x)) 


and 


varsubstCs,  cdr(x)) 


y 


car (y) 


cdr(y) 


SUCSTCONS=(LAnDDA  (EQ  (VARSUBST  -SI  -X) 

-Y) 

(PROG  (DECLARE) 

(GCiAL  SDEDUCE  (NOT  lATOH  SK)  )  ) 
(GOAL  SDEDUCE  (NOT  (ATOn  SY) ) ) 
(GOAL  (=  (SREHOVE  EQSU0ST  FROM 
SE0RULE3) ) 

(EQ  (VARSUBST  SSI  (CAR  SX)) 
(CAR  SY))) 

(GOAL  (=  iSREnrjVE  EOSUBST  PROn 
SEQRULES)) 

(EQ  (VARSUBST  SSI  (CDR  SX) ) 
(CDR  SY] 


•  SUBSTCAR,  SUBSTCDR  and  SUBSTCONS  are  equality  rules.  They  are 
clustered  together  in  a  goal  class: 

EQSUBSTRULES=(TUFLE  SUBSTCAR  SUBSTCDR  SUBSTCARCDR  SUBSTCONS)) 

•  EQSUBSTRULES  is  called  from  EQSUBST,  an  EQRULE . 

EnSl.lBST=  (LAMBDA  (PANU  -Y  (EQ  (VARSIJBST  -S  -X) 

-Z)  ) 

(GOAL  SEDSUBS)R(.ILES  SY]  ) 

Note  that  SUBSTCONS  removes  EQSUBST  from  the  EQRULES.  This  prevents 
the  system  from  looping  by  applying  SUBSTCONS  followed  by  SUBSTCAR. 

•  To  prove 

varsubst (s, u)  =  varsubst (s, v)  , 
where  u  and  v  are  nonatomic,  prove 

varsubst(s, car(u) )  =  varsubst  (s,  car(v)) 
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and 


varsubst (s, cdr(u) )  =  varsubst (s,  cdr(v) ) 


GUB5TCARCDR=(LAnBDA  (ED  (VARSUBST  -S  -U) 

(VARSUBST  -S  -V)) 

(FROG  (DECLARE) 

(GOAL  KDEDUCE  (NOT  (ATOM  «U))) 
(GOAL  IIDEDUCE  (NOT  (ATOM  fiV))) 
(GOAL  ItEQRLILES 

(EQ  (VARSUBST  ($S  (CAR  8U)) 

(VARSUBST  8S  (CAR  8V] 

(GOAL  8EQRULES 

(EQ  (VARSUBST  8S  (CDR  8U1) 

(VARSUBST  8S  (CDR  8V] 


Substitutions  are  represented  as  lists  of  dotted  pairs, 
•  If  V  is  a  variable, 


varsubst(( (viy) ) ,  v)  =  y 


SliB3TLIST=[LAnB0A  (VARSUBST  (LIST  (CONS  -V  -Y) ) 

^V) 

(PROG  (OECLARE) 

(EXISTS  (VAR  8V)) 

8Y) ) 


•  The  composition  operator  has  the  property: 

varsubst (compose (si ,  s2),  x)  =  varsubst(3l,  varsubst(s2,  x) ) 

SUDSTCOriFOSE=(LAnBDA  (VARSUBST  (CONPOSE  <-Sl  -SZ) 

-X) 

(8TRY  8SLIBSTRULES 

(’  (VARSUBST  8S1  (VARSUBST  8S2  8X1 


•  These  simplification  rules  are  members  of  the  goal  class 


SUBSlTil.iLES=(TUPLE  SUBSTENPTY  SUBSTLIST  SUBSTCONPOSE  SUBSTCONST) 
) 


which  is  called  by  SUBSTOP,  a  member  of  TOPRULES : 


SUBST0P=[LAn80A  (PANO  (VARSUBST 

-Y) 

(GOAL  8SUBSTRULES  8Y] ) 
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utility  Functions 


9  . 


•  TRY  is  like  a  GOAL  statement  that  will  not  fail  if  none  of  the  goal 
class  apply  but  instead  returns  its  argument . 

lHV  =  tl  AlIKDA  (TLIPLt  -GOALCLAPS  -(.OAll) 

(ATTEnPT  fGOAL  JlGOAirLAG?  SGOALl) 

ELGF.  JiGOAL  1 1  ) 


It  evaluates  (GOAL  $G0ALCLASS  $G0AL1),  but,  if  failure  results,  it 
returns  GOALl . 


•  TRYALL  will  try  a  goal  class  on  an  expression.  If  any  member  of  the 
goal  class  applies,  it  will  apply  the  same  goal  class  to  the  resulting 
expression,  and  so  on,  until  no  rules  applies.  TRYALL  returns  the  last 
expression  it  has  derived,  which  may  be  the  same  as  the  first  expression. 
TRYALL  will  not  fail: 


TRYALL  =(LAIiaDA  (TUPLE  ‘-G0ALCLASS1  -GOALl) 

(PROG  (DECLARE) 

TOP 

(ATTEflPT  (SETO  -GOALl  (GOAL  3G0ALCLASS1 

8G0AL1 ) ) 

THEN 

(GO  TOP)) 

(RETURN  SGOALl] 


•  TRYALLFAIL  is  like  TRYALL,  except  it  will  fail  if  none  of  the  goal 
class  apply  to  the  argument . 


TRYALLFAIL=(LAnBDA  (TUPLE  -G0ALCLA5S1  -GOALl) 

(8 TRYALL  8G0ALCLASS1  (GOAL  8G0ALCLASS1 

SGOALl] 


•  TRYSUB  applies  a  goal  class  to  a  specially  designated  subexpression 
of  the  given  expression: 

TnySUD=(LAf1BDA  (TUPLE  -G0ALCLA5S  UN  -SUB  IN  ^-EXP) 

(SUBST  8EXP  (TUPLE  SSUB  (STRVALL  BGOALCLASS 

8  SUB] 

•  INSIST  fails  if  its  argument  is  FALSE. 

)ri:-IST=(LAt1PDA  -X  (IF  8X  ELSE  (FAIU 

•  REMOVE  removes  a  designated  item  from  a  tuple. 
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REnOVE=  [LAMBDA  (TUPLE  FROM  ^Y) 

((QUOTE  (LAMPOA  (TUPLE  ^-^U  3X 

(TUPLE  cau  aav] i 


8Y]  ) 


■  ASK  queries  the  user: 


ASK= (LAMBDA  ^X  (IF  (LISP  ASK  SX) 

ELSE 

(FAIL] 

It  types  two  expressions,  the  first  a  QA4  expression  (SY)  and  the 
second  an  atom($X;  e.g.,  PROVE?  or  SIMPLIFY?).  If  the  user  types  YES, 
TRUE,  OK,  Y,  or  T,  say,  ASK  returns  TRUE.  Otherwise  ASK  fails.  ASK 
uses  a  LISP  function  of  the  same  name. 


•  SHORTEST  computes  the  "smallest"  element  of  a  set,  bag,  or  tuple: 


SHORTEST 

[LAMBDA 

^X 

(PROG  (DECLARE  BEST  BESTCOUNT  TEMf^COUNT) 

(SETD  ^-BESTCOUNT  2000) 

[MAPC  ax  (QUOTE  (LAMBDA 
^Y 

(IF  (OR  (LT  (SETD  -TEMPCOUNT 

(LISP  QAACOUNT  «Y)) 
aBESTCOUNT) 

(EQUAL  (STYPE  JY) 

NUMBER) ) 

THEN 

(SETQ  -BEST  8Y) 

(SETQ  -BESTCOUNT  3TEMPC0UNT] 

OBEST] ) 


The  size  of  an  expression  is  roughly  the  number  of  atoms  in  the 
expression.  It  is  computed  by  a  LISP  function,  QA4 COUNT .  Numbers  are 
assumed  to  be  "smaller"  than  identifiers. 

Table  A-1  gives  an  index  of  functions  and  goal  classes. 
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Table  A-1 


INDEX  OF  FUNCTIONS  AND  GOAL  CLASSES 


NAME 

PAGE 

ACCEX 

80 

ACCH 

78 

AND  SPLIT 

59 

ARGSIMP 

67 

ASK 

92 

BACH 

82 

BAGAEMPTY 

81 

BAGAII 

81 

BAGALOIVERPLUS 

81 

BAGAMINUS 

81 

BAGAOP 

79 

BAGAPLUS 

79 

BAGARULES 

79 

BAGEX 

83 

BAGEXl 

84 

BAGEXCOMPLICATED 

85 

BAGS IMP 

67 

BAGSTRIP 

87 

CANCEL 

76 

CONSDIFF 

87 

CONSTCAR 

88 

CONSTCDR 

88 

DEDUCE* 

65 

DIFDIF 

87 

DIFFCONS 

87 

DIFFONE 

87 

DIFFXX 

86 

DOIVNRULES* 

67 

EQINEQMONOTONE 

70 

EQNUMB 

68 

EQRULES* 

59 

EQSIMP 

61 

NAME  PAGE 


EQSUBST  89 
EQSUBSTRULES  89 
EQTIMESDIVIDE  69 
EXPEXP  78 
EXPZERO  78 
FAILINTODOWNRULES  68 
FIFTHENELSE  68 
FSUBTRACTl  70 
FSUBTRACT2  70 
GCDEQ  78 
GTQLTQ  62 
HASSIMP  67 
INEQIFTHENELSE  64 
INEQLEIB  63 
INEQSTRIPBAG  64 
INEQSTRIPSTRIP  86 
INEQSTRIPTRAN  86 
INEQTIMESDIVIDE  70 
INEQUALITIES*  62 
INSIST  91 
LEIBB  61 
LEIBF  61 
LEIBS  61 
LEIBT  61 
LTPLUS  69 
LTQMANY  62 
LTQPLUS  69 
MAXONE  80 
MAXPLUS  79 
MINUSMINUS  77 
MINUSOP  ■  76 
MINUSPLUS  77 


* 

Goal  class. 


93 


Table  A-1  (Concluded) 


INDEX  OF  FUNCTIONS  AND  GOAL  CLASSES 


NAME 

PAGE 

NAME 

PAGE 

MINUSZERO 

77 

SUBSTRULES 

90 

NOTATOM 

88 

TIMESDIVIDEONE 

76 

ORSPLIT 

60 

TIMESEMPTY 

75 

ORSPLITMANY 

60 

TIMESEXP 

76 

PLUSCOMBINE 

74 

TIMESONE 

75 

PLUSDIFFERENCE 

74 

TIMESOP 

74 

PLUSEMPTY 

73 

TIMESPLUS 

75 

PLUSMINUS 

73 

TIMESRULES* 

75 

PLUSNUMBER 

74 

TIMESSINGLE 

75 

PLUS OP 

72 

TIMESTIMES 

76 

PLUSPLUS 

73 

TIMESZERO 

75 

PLUSRULES 

72 

TOPRULES* 

66 

PLUSS INGLE 

73 

TRY 

91 

PLUS ZERO 

73 

TRYALL 

91 

PROOFLEIB 

62 

TRYALLFAIL 

91 

PROOFSIMP 

63 

TRYSUB 

91 

PROOFSWITCH 

59 

TUPS IMP 

67 

PROVE* 

57 

RELCHECK 

60 

REMOVE 

92 

SETS IMP 

67 

SHORTEST 

92 

SIMPONE 

66 

SQRULE 

76 

SUBNUM 

77 

SUBPLUS 

77 

SUBSTCAR 

88 

SUBSTCARCDR 

90 

SUBSTCDR 

89 

SUBSTCOMPOSE 

90 

SUBSTCONS 

89 

SUBSTCONST 

88 

SUBSTEMPTY 

88 

SUBSTLIST 

90 

SUBSTOP 

90 
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Appendix  B 


TRACES  OF  SOLUTIONS 


Appendix  B 


TRACES  OF  SOLUTIONS 


I.  The  Maximum  of  an  Array  (1) 


A  complete  trace  of  a  proof  performed  by  our  system  is  presented  be¬ 
low.  The  verification  condition  to  be  proved  is  derived  from  the  program 
to  compute  the  maximal  element  of  an  array.  Although  a  proof  is  contained 
above  in  the  body  of  the  text,  following  the  trace  tells  us  exactly  what 
rules  were  applied  in  the  proof .  Furthermore,  we  can  see  exactly  what 
false  starts  were  made  by  the  system  and  what  user  interaction  was  re¬ 
quired  to  keep  the  program  on  the  right  track . 


This  particular  verification  condition  was  derived  from  the  loop  path 
of  the  program..  The  hypotheses  are 


1  (CONTEXT  (1  0)  1  0) 

2  (ASSERT  (EQ  MAX  (ACCESS  A  LOO)  URT  8VERIC0N) 

3  TRUE 

4  (ASSERT  (LTD  (STRIP  (BAGA  A  0  I))  OAX)  URT  8VERIC0N) 

5  TRUE 

6  (ASSERT  (LTD  0  LOO  URT  8VERIC0N) 

7  TRUE 

S  (ASSERT  (LTD  LOC  I)  URT  8VERIC0N) 

9  TRUE 

10  (ASSERT  (LTD  i  N)  URT  SVERICON) 

11  TRUE 

12  (DENY  (LT  N  (PLUS  1  D)  URT  8VERICQN) 

13  FLASE 

14  (DENY  (LT  MAX  (ACCESS  A  (PLUS  1  I)))  URT  8VERIC0N) 

15  FLASE 


The  word  "Flase"  is  a  misspelling  of  "False.” 


Since  the  hypotheses  for  the  different  verification  conditions  of  a 
program  may  contradict  each  other,  each  proof  is  done  in  a  separate  con¬ 
text.  The  name  of  that  context  is  VERICON.  That  is  the  meaning  of  the 
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phrase  "WRT  $VERICON, "  which  follows  our  assertions  and  goal.  (For  this 
proof  VERICON  is  ((10)  10),)  Assertions  made  with  respect  to  one  VERICON 
will  not  affect  problems  solved  with  respect  to  another. 


IG  (GHAL  apROVG  (LTQ  (STRIP  (EAGA  A  0  (PLUS  II)))  MAX)  URT  OVERICON) 
17  LAHEDA  PROOFSUiTCH  (LTQ  (STRIP  (BAGA  A  0  (PLUS  II)))  NAX) 


When  a  traced  function  is  applied  to  an  argument,  the  trace  says 


LAMBDA  (function  name\  (argument  V 


Some  of  the  utility  functions  are  not  traced  . 

IS  (GOAL  SINEQUAI..IT1ES  (OF  OX)) 

19  LAOBDA  RELCHECK  (LTQ  (STRIP  (BAGA  A  0  (PLUS  11)))  MAX) 

20  LANBOA  PRUOFSinP  (LTQ  (STRIP  (BAGA  A  0  (PLUS  II)))  MAX) 

21  LAMBDA  ARGSIMP  (LTQ  (STRIP  (BAGA  A  0  (PLUS  11)))  MAX) 

22  LAMBDA  SIMPONE  (TUPLE  (STRIP  (BAGA  A  0  (PLUS  II)))  MAX) 
(TUPLE  (STRIP  (BAGA  A  0  (PLUS  II)))  MAX) 

SIMPLIFY? 

:  Y 


The  system  asked  us  whether  we  wanted  it  to  simplify 


(TUPLE  (STRIP  (BAGA  A  0  (PLUS  II)))  MAX) 


We  said  yes  . 


23  (GOAL  STOPRLILES  8G0AL1) 

24  LAMBDA  HASSIMP  (TUPLE  (STRIP  (BAGA  A  0  (PLUS  II)))  MAX) 

25  (FAIL) 

2G  LAMBDA  EQNUMB  (TUPLE  (STRIP  (BAGA  A  0  (PLUS  II)))  MAX) 

27  (FAIL) 

2S  (GOAL  8DDUNRULES  BGOALl) 

29  LAMBDA  TUPSIMP  (TUPLE  (STRIP  (BAGA  A  0  (PLUS  II)))  MAX) 

30  LAMBDA  SIMPONE  (STRIP  (BAGA  A  0  (PLUS  II))) 

(STRIP  (BAGA  A  0  (PLUS  II))) 

SIMPLIFY? 

:  Y 


31  (GOAL  8T0PRULES  OGOALl) 

32  LAMBDA  HASSIMP  (STRIP  (BAGA  A  0  (PLUS  1  1))) 


33 

34 

35 
3G 
37 
33 

(BAGA  A  0  (PLUS 
SIMPLIFY? 

:  Y 


(FAIL) 

LAMBDA  EQNUMB  (STRIP  (BAGA  A  0  (PLUS  1  I))) 
(FAIL) 

(GOAL  800UNRULES  OGOALl) 

LAMBOA  ARGSIMP  (STRIP  (BAGA  A  0  (PLUS  II))) 
LAMBDA  SIMPONE  (BAGA.  A  0  (PLUS  ID) 

1  D) 
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We  have  given  the  system  permission  to  simplify  (BAGA  A  0  (PLUS  1  I)). 


33 

40 

41 

42 

43 

44 

45 


(GOAL  8T0PRULES  8G0AL1) 

LAMBDA  HAGS  IMP  (BAGA  A  0  (PLUS  1  D) 
(FAIL) 

LAMBDA  BAGAOP  (BAGA  A  0  (PLUS  ID) 
(GOAL  3G0ALCLASS1  8GDALD 
LAMBDA  BAGAPLUS  (BAGA  A  0  (PLUS  1  D) 
(GOAL  8DEDUGE  (LTQ  81  (PLUS  1  8J))) 


The  system  tries  to  prove  that  0  ^  (PLUS  1  I)). 


4G 

47 

4S 

49 


LAMBDA  RELCHECK  (LTQ  0  (PLUS  1  ID 
LAMBDA  LTQFLU5  (LTQ  0  (PLUS  1  ID 
(GOAL  80EDUCE  (AND  (LTQ  81  SJ)  (LTQ  0  SKD  y 
LAMBDA  RELCHECK  (AND  (LTQ  0  D  (LTQ  01)) 


It  breaks  down  the  goal  to  0  s  I  and  0  <  1. 


50  LAMBDA  ANDSPLIT  (AND  (LTQ  01)  (LTQ  0  1)) 

51  (GOAL  SGOALCLASS  8X) 

52  LAMBDA  RELCHECK  (LTQ  0  1) 

53  RELCHECK  =  TRUE 


When  a  function  returns  a  value,  the  trace  says 


(function  name)  =  (value) 


In  this  case,  the  system  knew  that  0  <  1  by  performing  the  corresponding 
LISP  evaluation. 

54  (GOAL  SGOALCLASS  8Y) 

55  LAMBDA  RELCHECK  (LTQ  0  D 

5G  RELCHECK  =  TRUE 


The  0  <  I  follows  from  hypothesis  8  and  9. 


57  ANDSPLIT  =  TRUE 

5S  LTQPLUS  =  TRUE 

53  BAGAPLUS  =  (BAG  (ACCESS  A  (PLUS  ID)  (STRIP 

(BAGA  A  0  1))) 


The  system  has  succeeded  in  simplifying 


(BAGA  A  0  (PLUS  1  I)) 


to 


(BAG  (ACCESS  A  (PLUS  1  I))  (STRIP  (BAGA  A  0  I))) 
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G0  (GOAL  3GOALCLASS1  UGDALl) 

G1  BAGAOP  =  (BAG  (ACCESS  A  (PLUS  ID)  (STRIP  (BAGA 

A  0  n ) ) 

G2  SinPONE  =  (BAG  (ACCESS  A  (PLUS  ID)  (STRIP  (BAGA 

A  0  I )  ) ) 

G3  ARCS  IMP  =  (STRIP  (BAG  (ACCESS  A  (PLUS  ID)  (STRIP 

{BA(;A  a  0  I)))) 

6A  (GOAL  JIGOALCLASS  UGDALl) 

G5  LAUBDA  HASSIdP  (STRIP  (BAG  (ACCESS  A  (PLUS  ID) 

(STRIP  (BAGA  A  0  D)  )) 

GG  (FAIL) 

67  LAMBDA  EQNUMB  (STRIP  (BAG  (ACCESS  A  (PLUS  1  ID  (STRIP 

(BAGA  A  0  !)))) 

G3  (FAIL) 

E3  SIMPONE  =  (STRIP  (BAG  (ACCESS  A  (PLUS  1  ID  (STRIP 

(BAGA  A  0  DD) 

70  TUPS  IMP  =  (TUPLE  (STRIP  (BAG  (ACCESS  A  (PLUS  1  ID  (STRIP 
(BAGA  A  0  ID))  MAX) 

71  (GOAL  UGOALCLASS  8GDAL1) 

72  LAMBDA  HASSiMP  (TUPLE  (STRIP  (BAG  (ACCESS  A  (PLUS  1  ID 
(STRIP  (BAGA  A.  0  ID))  MAX) 

73  (FAIL) 

74  LAMBDA  EQNUMB  (TUPLE  (STRIP  (BAG  (ACCESS  A  (PLUS  ID) 

(STRIP  (BAGA  A  0  DID  MAX) 

75  (FAIL) 

76  SIMPONE  -  (TUPLE  (STRIP  (BAG  (ACCESS  A  (PLUS  1  ID  (STRIP 
(BAGA  A  0  DD)  MAX) 

77  ARGSIMP  =  (LTQ  (STRIP  (BAG  (ACCESS  A  (PLUS  ID)  (STRIP  (BAGA 
A  0  I  D  D  MAX) 


The  problem  now  is  to  prove 


(STRIP  (BAG  (ACCESS  A  (PLUS  1  I))  (STRIP  (BAGA  AO  I))))  i  MAX  : 
78  (GOAL  3GOALCLASS1  8X) 

73  LAMBDA  RELCHECK  (LTQ  (STRIP  (BAG  (ACCESS  A  (PLUS  1  ID  (STRIP 

(BAGA  A  0  ID))  MAX) 

S0  RELCHECK  =  TRUE 


But  since  the  system  already  knows 


(ACCESS  A  (PLUS  1  I))  MAX  from  (14), 

and 


(STRIP  (BAGA  A  0  I))  ^  MAX  from  (4) 


the  proof  is  complete: 


81  PROOFS  IMP  =  TRUE 

82  (ASSERT  (3F  3XD 

83  PROOFSUITCH  =  (LTQ  (STRIP  (BAGA  A  0  (PLUS  1  ID)  MAX) 

84  (LTQ  (STRIP  (BAGA  A  0  (PLUS  1  DD  MAX) 
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The  Maximum  of  an  Array  (2) 


The  following  is  the  trace  of  the  proof  for  another  verification  con¬ 
dition  for  the  program  that  computes  the  maximal  element  of  an  array. 

This  verification  condition  is  derived  from  the  halt  path  of  the  program. 


1  (CCKHEKr  (1  0)  1  0) 

2  (ASSCRT  (EQ  I1AX  (ACCESS  A  LOO)  URT  liVERICON) 

3  TRUE 

h  (ASSERT  (LTQ  (STRIP  (BAGA  A  0  D)  HAX)  URT  SVERICON) 
5  TRUE 

G  (ASSERT  (LTQ  8  LOO  URT  ItVERICON) 

7  inuE 

S  (ASSERT  (LTQ  LOC  I)  URT  8VERIC0N) 

9  TRUE 

10  (ASSERT  (LTQ  I  M)  URT  8VER1C0N) 

11  TRUE 

12  (ASSERT  (LT  N  (PLUS  1  !))  URT  itVERICOM) 


There  is  a  demon  that  knows  that  in  the  integer  domain, 


X  <  y  3  x+1  ^  y 


This  demon  is  responsible  for  the  assertion 
13  (ASSERT  (LTQ  (PLUS  1  8X)  SY)  URT  8VERJC0N) 

The  system  now  knows  N+1  ^  I+l .  This  assertion  wakes  up  another  demon: 


lA  (ASSERT  (LTQ  «Y  U)  URT  8VERIC0N) 
15  TRUC 


The  system  now  knows  that  N  ^  I.  Since  I  ^  N  has  Just  been  asserted  (5), 
the  mechanism  for  storing  ordering  relations  silently  tells  the  system 
that  I  =  N. 
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The  system  proceeds  with  the  proof: 


in  (KIIAI  llF’RnVE  (LTO-  (STRIP  (BAGA  A  B  Nil  (ACCESS  A  LOO)  URT  SVERICON) 
17  LAGBLiA  rROUESU!  TCI  I  (LTQ  (STRIP  (BAGA  AON))  (ACCESS  A  LOO) 

IS  (GOAL  StlNEnUAl  I  TIES  (CF  ItX)) 

i:il  lAlIRDA  PELUIFCK  (LTD  (STRIP  (BAGA  AON))  (ACCESS  A  LOO) 

Z'O  lAfir^tA  PRui.irsinr  (lto  (strip  (Daga  a  o  nd  (access  a  loo) 

I'l  i  AilRDA  ARGSIMP  (LTO  (STRIP  (BAC-A  AON))  (AitESS  A  LOO) 

22  LAMBDA  SIMPONE  (TUPLE  (SIRIP  (BAGA  A  0  N))  (ACCESS  A  LOO) 

(TLiPLE  (STRIP  (BAGA  A  0  N))  (ACCESS  A  LOO) 

SIMPLIRy? 

2?  (FAIL) 

2 A  (FAIL) 

2S  LAMDDA  FROOFLEIB  (LTQ  (STRIP  (BAGA  A  0  N) )  (ACCESS  A  LOO) 

2G  (EXISTS  (CF  -Y)) 


The  system  searches  the  data  base  for  an  assertion  of  the  form  (LTQ  •-¥) , 
i.e.,  the  gross  form  of  the  goal  we  are  trying  to  prove.  It  finds  one 
[assertion  (2)]  and  asks  us  if  it  should  try  to  prove  that  the  argument 
of  the  assertion  it  has  found  is  equal  to  the  argument  of  the  goal: 


(EO  (TUPLE  (STRIP  .(BAGA  A  0  N) )  (ACCESS  A  LOO  )  (TUPLE  (STRIP  (BAGA 
AO  D)  MAX)) 

PROVE? 


We  say  yes,  and  the  proof  proceeds. 


27  (GOAL  CEDRULES  (EQ  SX  CY)) 

2S  LAMBDA  RELCHECK  (EQ  (TUPLE  (STRIP  (BAGA  A  0  N))  (ACCESS  A 

LOO)  (TIIFIE  (STRIP  (BAGA  A  0  D)  MAX)) 

20  RELCHECK  =  TRUE 

20  PRUOrLEID  =  TRUE 


PI  (ASSERT  (!iF  CX) ) 

22  PRUUP  SUITOR  =  (LTQ  (STRIP  (BAGA  A  0  N) )  (ACCESS  A  LOO) 
33  (LTQ  (STRIP  (BAGA  A  0  N))  (ACCESS  A  LOO) 


The  two  tuples  were  found  to  be  equal  because  N  —  I  (from  10  and  14), 


and  MAX  =  A[LOC].  The  proof  is  complete. 
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The  Wensley  Division  Algorithm 


2  . 


The  following  is  the  complete  trace  of  the  proof  included  in  the  body 
of  the  text: 


I  frufiTFXT  (1  0)  i  0) 

(A'/THT  (TQ  AA  (TfflES  QQ  VY))  URT  8V£RiC0N) 

IFM.lt- 

A  (AST'CRT  (EQ  (HUES  E  BB)  (TIMES  QQ  ODD  URT  8VERIC0N) 

B  rRlJE 

R  (ASSHRI  (LT  PF  (PLUS  (TIMES  QQ  YY)  (TIMES  QQ  DO)))  URT  SVERICDN) 
7  TRUE 

S  (ASSERT  (LTQ  (TIMES  QQ  YY)  PR)  URT  ttVERICON) 

;;i  Ih'Uf: 

10  (ASSERT  (LT  PP  (PLUS  AA  BB) )  URT  iJVERICDM) 

II  TRUE 

IS  d.lEMY  (LT  (DIVIDES  DO  7)  EE)  URT  8VERIC0N) 

10  r ALOE 


The  goal  is  to  prove  PP  <  QQ*YY  +  QQ*(DD/2) : 


LA  (t;:0AL  ilF'RuVE  (LT  PP  (PLUS  (TIMES  QQ  YY)  (TIMES  QQ  (DIVIDES  DO  2)))) 
URT  IfVERICON) 

IB  LAIIF'.riA  RRODFSUITCH  (LT  PP  (PLUS  (TIMES  QQ  YY)  (TIMES  QQ  (DIVIDES 
UfJ  :')))) 

IG  (GOAL  !t  INEQUAL  I  TIES  (8F  UK)) 

17  LAMRRA  RELRHECK  (L7  PP  (PI.US  (TIMES  QQ  YY)  (TIMES  QO  (DIVIDES 
DD  2) ) ) ) 

IX  LAMBDA  PROOFSIMP  (LT  PP  (PLUS  (TIMES  QQ  YY)  (TIMES  QQ  (DIVIDES 
W  D  )  )  ) 

10  LAMBDA  ARG3IMP  (LT  PP  (PLUS  (TIMES  QQ  YY)  (TIMES  QQ  (DIVIDES 

DD  7)))) 

;-Q  LAMBDA  SIMPHNE  (TUPLE  PP  (PLUS  (TIMES  QQ  YY)  (TIMES  QQ 

(DIVIDES  no  ::)))) 

21  LAMBDA  ASK  (TUPLE  (TUPLE  PP  (PLUS  (TIMES  QQ  YY)  (TIMES 
no  (UIVirK-S  RD  2))))  SIMPLIFY?) 

(TDI-’LE  PP  (F\US  (TIMES  QQ  YY)  (TIMES  QQ  (DIVIDES  DD  2)))) 

Sinn  irv? 

:  Ni  I 

22  (FAIL) 

23  (FAIL) 

24  LAMBDA  F’ROUPLEIB  (LT  PP  (PLUS  (TIMES  QQ  YY)  (TIMES  QQ  (DIVIDES 
DD  2) ) ) ) 

2B  (EXISTS  («F  -Y)) 

2G  LAIir-DA  ask  (TUPLE  (EQ  (TUPLE  PP  (PLUS  (TIMES  QQ  YY)  (TIMES 

QQ  (DIVIDES  DD  2))))  (TUPLE  PP  (PLUG  (TIMES  QQ  YY)  (TIMES  QQ  DD) ) ) ) 
PRTiVE?) 

(LU  (TUPI.E  PF  (PLUS  (TIMES  QQ  YY)  (TIMES  QQ  (DIVIDES  DD  2))))  (TUPLE 
PP  (PLUG  (TIMES  QQ  YY)  (TIMES  QQ  DO)))) 

PRUVF? 

:  ITD 
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27  (FAIL) 

2.':;  LAnpDA  ASK  (TUPLE  (EQ  (TUPLE  PP  (PLUS  (TIHES  QQ  YY)  (TIMES 

UU  (DIVIDES  DD  2))))  (TUPLE  PP  (PLUS  AA  BB)))  PROVE?) 

(EO  (TLiPL.E  PP  (PLUS  (TIMES  QQ  YY)  (TIMES  QQ  (DIVIDES  DD  2))))  (TUPLE 
PP'  1I-’1,US  AA  BB)  )  ) 

PROVE? 

:MO 

20  (FAIL) 

30  LAMBDA  IMEQLEIB  (LT  PP  (PLUS  (TIMES  QQ  YY)  (TIMES  QQ  (DIVIDES 
DPI  2)  ) )  ) 

31  (F.-.I'O'S  (BL  (TUPLE  -LOUER  -UPPER) ) ) 

32  LAUCDA  ASK  (TUPLE  PROVE  (LTQ  PP  PP)  AND  (LTQ  (PLUS  (TIMES 

on  VV)  (TIME:-.  rjQ  DD))  (PLUS  (TIMES  QQ  YY)  (TIMES  QQ  (DI  V|  DES  DD  2) )  )  ) 
?) 

TT.O'v'E 

d.li')  P'P  PP) 

AND 

(LTD  (PLUS  (TIMES  QQ  YY)  (TIMES  QQ  QD) )  (PLUS  (TIMES  QQ  YY)  (TIMES 
(.'0  (MI VI DP:-  UD  ?)))) 


After  several  false  starts  the  system  reaches  using  hypothesis  (10),  it 
generates  two  subgoals:  PP  ^  PP  and  AA  +  BB  <  QQ*YY  +  CJQ*(DD/2)  .  We 
give  our  approval  of  this  tactic: 


ifaid 

FA  LAMBDA  ASK  (TUPLE  PROVE  (LTQ  PP  PP)  AND  (LTQ  (PLUS  AA  BB) 

(PI  LI;T  (TIMES  DO  YV)  (TIMES  QQ  (DIVIDES  DD  2))))  ?) 
pf.;iivp: 

(LTQ  PP  r’P) 

Al'lfi 

(LID  (PLUS  AA  BB)  (PLUS  (TIMES  QQ  YY)  (TIMES  QQ  (DIVIDES  DD  2)))) 

9 

:  YES 

3;E.  ask  TRUE 

It  proves  the  first  subgoal  immediately. 


3G  (GOAL  8 INEQUALITIES  (AND  (LTQ  ttX  8L0UER)  (LTQ  SUPPER  8Y))) 


3:7  LAMBDA  ANDSPLIT  (AND  (LTD  PP  PP)  (LTQ  (PLUS  AA  BB)  (PLUS 

(TIMES  QQ  YY)  (TIMES  QQ  (DIVIDES  DD  2))))) 

(GOAL  ItrOALCLASS  8X) 

30  LAMBDA  RELCHECK  (LTQ  FP  FP) 

A0  RELCHECK  =  TRUE 

A1  (OriAL  UGOAI.OLASS  (AND  88Y)) 


A2  LAMBDA  ANDSPLIT  (AND  (LTQ  (PLUS  AA  BB)  (PLUS  (TIMES  QQ 

YY)  (TIMES  QQ  (DIVIDES  DD  2))))) 

43  (GOAL  DGOALCLASS  SX) 

44  LAMBDA  RELCHECK  (LTQ  (PLUS  AA  BB)  (PLUS  (TIMES  QQ  YY) 
(TIMES  rjQ  (DIVIDES  DD  2)  ) )  ) 

45  LAMBDA  I NEOnUMOTONE  (LTQ  (PLUS  AA  BB)  (PLUS  (TIMES  QQ 
YY'  (TIMES  OQ  (DIVIDES  DD  2) ) )  ) 


40 

(Llf)  BB 


LAMBDA  ASK  (TUPLE  ((LTQ  AA  (TIMES  QQ  (DIVIDES  DD  2))J 
I  I  I  Ml.  3  QQ  YY)  ) )  PRLi'.'C?) 


((LIQ  AA  (TIMES  QQ  (DIVIDES  DD  2)))  (LTQ  BB  (TIMES  QQ  YY))) 
PRi.iVT  ? 

:  MU 
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‘i7  (FAIL) 

LAnpDA  IMHOnfiMOTONE  (LTG  (PLUS  AA  BB)  (PLUS  (TIHES  QQ 
YV!  (TillL'.'i  iJCJ  (DIVinES  DD  f)))) 


'•P-l  LAUBDA  ASK  (TUPLE 

uu  n.ii vKiEs  i![i  :•))))  prove?) 

I  (L  IT)  AA  (TlflES  OQ  YY) )  (LTQ  BB  i 
PRf'iVF  ? 


((LTQ  AA  (TIMES  QQ  YY) )  (LTQ  BB  (TIMES 
TIMES  QQ  (DIVIDES  DD  2) ) ) ) 


It  divides  the  second  subgoal  into  two  subsubgoals;  AA  ^  QQ*YY  and 
BB  <  QQ*(DD/2): 


:  YES 

F.0 

E'! 

8Z) )  )  ) 


ASK  =  TRUE 

(GOAL  IIGOALCLASS  (AND  (SF  (TUPLE  SU  ItY) )  (8F  (TUPLE  8X 


EG  LAMBDA  ANDSPLIT  (AND  (LTQ  AA  (TIMES  QQ  YY) ) 

(TIMES  (QQ  (DIVIDES  DD  2)))) 

5S  (GOAL  BGOALCLASS  ttX) 

EA  LAMBDA  RELCUECK  (LTQ  AA  (TIMES  QQ  YY)) 

EE  RELCHECK  -  TRUE 


(LTQ  BB 


The  first  subsubgoal  follows  from  hypothesis  (2)  . 


ER 

E7 

2)  )  )  ) 

EF. 

EO 

1.0 

DD  2) ) ) 

R1 

(•'•2 

03 

G-T 

UY  882)))) 

T-E 

G6 


(GOAL  8G0ALCLASS  (AND  S8Y) ) 

LAMBDA  ANDSPLIT  (AND  (LTO  BB  (TIMES  QQ  (DIVIDES  DD 

(GDAI.  8G0ALCLASS  BX) 

LAMBDA  RELCHECK  (LTQ  BB  (TIMES  QQ  (DIVIDES  DD  ?))) 
LAMBDA  INEQIIMESDI  VIDE  (l.TQ  BB  (TIMES  QQ  (DIVIDES 

(GOAL  3DEDLICE  (LT  0  8Y) ) 

LAMBDA  RELCHECK  (LT  0  2) 

RELCHECK  =  TRUE 

(COAL  8INEQUAI..ITIES  (8F  (TUPLE  (TIMES  8Y  SU)  (TIMES 

LAMBDA  RELCHECK  (LTQ  (TIMES  2  BB)  (TIMES  QQ  DD) ) 
RELCHECK  =  TRUE 


Checking  that  2  >  0,  the  system  multiplied  out  the  second  subgoal  into 
2*BB  ^  QQ*DD.  This  follows  from  assertion  (4).  The  proof  is  complete: 


07  INEQTIMESDIVIOE  -  TRUE 

OF  (COAL  8G0ALCLASS  (AND  88Y)) 

GO  ANDSPLIT  =  (AND) 

70  ANDSPLIT  =  (AND) 

71  INEQMONOTONE  =  (AND) 

72  (f;OAl.  8(,DALCLASS  (AND  83Y)  ) 

73  ANDSPLIT  =  (AND) 

74  ANDSPLIT  =  (AND) 

75  IMEQIEIB  =  (AND) 

7G  (ASSERT  (8F  8X) ) 

77  (RETHFiM  (8F  8X)  ) 

7F  PRIJLIESI-HTCH  ^  (LT  PP  (PLUS  (TIMES  QQ  YY)  (TIMES  QQ  (DIVIDES  DD 
2)  )  )  ) 

70  (LT  UP  (PLUS  (TIMES  QQ  YY)  (TIMES  QQ  (DIVIDES  DD  2)))) 
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The  Pattern  Matcher 


3  . 


As  an  abbreviation,  let 

ml  =  inatch(car(pat) ,  car(arg)) 

and 

m2  =  match(varsubst(ml,  cdr(pat)),  cdr(arg)) 
The  hypotheses  are  that 

varsubst(ml,  car(pat))  =  car(arg)  ; 
or  in  unabbreviated  form. 


1  (ASSERT  (EQ  (VARSUBST  (HATCH  (CAR  PAT)  (CAR  ARC))  (CAR  PAT))  (CAR 
ARC) )  ) 

2  TRUE 


and  that 


varsubst (m2,  varsubst(ml,  cdr(pat)))  =  cdrCarg) 


3  (ASSERT  lEQ  (VARSUBST  (HATCH  (VARSUBST  (HATCH  (CAR  PAT)  (CAR  ARGI) 
(CPR  CAT))  (COR  ARC))  (VARSUBST  (HATCH  (CAR  CAT)  (CAR  ARC))  (COR  PAT))) 
(COR  ARC))) 

4  TRUl- 


The  other  hypotheses  are 


5  (ASSERT  (CONSTO.P  ARC)) 

G  TRUE 

7  (ASSERT  (HOT  (COHST  PAT))) 
S  TRUE 

S  (ASSERT  (MOT  (ATOM  ARC))) 

10  TRUE 

11  (ASSERT  (NOT  (VAR  FAT) )) 

12  true 


The  goal  is  to  prove 


varsubst  (compose  (ni2,  ml),  pat)  =  arg 


13  (GOAL  IIPROVE  (EQ  (VARSUBST  (COMPOSE  (HATCH  (VARSUBST  (MATCH  (CAR 
FAT)  (CAR  AnO)  (CDR  PAT)  I  (CDR  ARG) )  (HATai  (CAR  FAT)  (CAR  ARG))) 
PAD  ARC)) 
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The  proof  begins : 


1'4  LAMCDA  I'ROnrSUITCH  (EQ  (VARSUBST  (CCinf'ir.E  (HATCH  (VARSUBRT  (HATCH 
(CAR  PAT)  (CAR  ARC))  (CDR  PAT) )  (COR  ARC) )  (HATCH  (CAR  PAT)  (CAR  ARC) J ) 
PAD  ARC) 

15  (COAL  CEQnLILES  (DF  liX)  ) 

IC:  LAHBDA  RELCHECK  (EQ  (VARSUBST  (COHPOSE  (HATCH  (VARSU6ST  (HATCH 

(CAR  PAD  .(CAR  ARC))  (CDR  PAT))  (CDR  ARGD  (HATCH  (CAR  PAT)  (CAR  ARC))) 
PAT)  ARC) 

17  LAHBDA  EQSI.IPST  (EQ  (VARSUBST  (COHPOSE  (HATCH  (VARSUBST  (HATCH 
(CAR  PAT)  (CAR  ARC))  (CDR  PAD)  (CDR  ARGD  (HATCH  (CAR  PAT)  (CAR  ARC))) 
PAT)  ARG) 

J<?.  (COAL  SEQSUBSTRULES  (JY) 

13  LAHBOA  SUOSTCOHS  (EQ  (VARSUBST  (COHPOSE  (HATCH  (VARSUBST 

(MATCH  (CAR  PAT)  (CAR  ARG))  (COR  PAT))  (CDR  ARG) )  (HATCH  (CAR  PAT) 

(CAR  ARG)D  PAT)  ARG) 

CO  (GOAL  ((DEDUCE  (NOT  (ATOH  UX))) 

Cl  LAHRDA  RELCHECK  (NOT  (ATOH  PAT) ) 

32  LAHODA  NOTATOH  (NOT  (ATOH  PAT)) 

23  (EXISTS  (NOT  (VAR  !iX)  ) ) 

24  (EXISTS  (NOT  (CDNST  8K)  ) ) 

25  NOTATOH  =  (NOT  (CONST  PAT)) 

2G  (GOAL  ((DEDUCE  (NOT  (ATOM  SY))) 

27  (GDAl.  (=  (8REflUVE  (TUPLE  EQSUB5T  FRDH  8EQRULESD  )  (EQ  (VARSUBST 

itSl  (CAR  !tX))  (CAR  «Y))) 


Reasoning  that  pat  is  not  an  atom  since  it  is  neither  a  variable  nor  a 
constant,  the  system  breaks  the  goal  into  two  subgoals: 

varsubst  (compose(m2,  ml),  car(pat))  =  car(arg) 


and 


varsubst  (compose(m2,  ml),  cdr(pat))  =  cdr(arg) 
It  begins  work  on  the  first  of  these: 


2S  I  AHPOA  RELCHECK  (EQ  (CAR  ARG)  (VARSUBST  (COHPOSE  (HATCH 

(VARSUBST  (HATCH  (CAR  PAT)  (CAR  ARG))  (COR  E'AT))  (CDR  ARG))  (HATCH 
(CAR  PAT)  (CAR  ARGD)  (CAR  PAT))) 

29  LAHRDA  EQSIHP  (EQ  (CAR  ARG)  (VARSUBST  (COHPOSE  (HATCH  ( 
varsubst  (HATCH  (CAR  PAT)  (CAR  ARG))  (COR  PAT))  (CDR  ARG))  (HATCH 
(CAR  RAT)  (CAR  ARGD)  ICAR  PAT))) 

30  LAHBDA  SIHPONE  (VARSUBST  (COHFCiSE  (MATCH  (VARSUBST  (HATCH 
(CAR  RAT)  (CAR  ARG))  (COR  PAT) )  (COR  ARG) )  (HATCH  (CAR  PAT)  (CAR  ARG) )  ) 
(CAR  PAT)) 

(VARSUBST  (COHPOSE  (HATCH  (VARSUBST  (HATCH  (CAR  PAT)  (CAR  ARG))  (CDR 
PAT))  (COR  ARG))  (HATCH  (CAR  PAT)  (CAR  ARG) ) )  (CAR  PAT)) 

SIHPLIFY? 


We  give  the  system  our  permission  to  simplify  the  left  side  of  the  first 
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subgoal , 


varsubst  (compose (m2,  ml),  car(pat)) 


31  (GOAL  IITOPRULES  SGOALl) 

32  LAMBDA  HASSIflP  (VARSUBST  (COMPOSE  (MATCH  (VARSUBST 

(MATCH  (CAR  FAT)  (CAR  ARC) )  (CDR  PAT) )  (CDR  ARC) )  (MATCH  (CAR  PAT) 

(CAR  ARC)))  (CAR  PAT)) 

33  (FAIL) 

34  LAMBDA  SUBSTOP  (VARSUBST  (COMPOSE  (MATCH  (VARSUBST 

(MATCH  (CAR  PAT)  (CAR  ARC))  (COR  PAT))  (COR  ARC))  (MATCH  (CAR  PAT) 

(CAR  ARC)))  (CAR  PAT)) 

35  (COAL  3SU8STRULES  3Y) 

3G  LAMBDA  SUBSTCOMFOSE  (VARSUBST  (COMPOSE  (MATCH  (VARSUBST 

(MATCH  (CAR  PAT)  (CAR  ARC))  (CDR  PAT))  (CDR  ARC))  (MATCH  (CAR  PAT) 

(CAR  ARC)))  (CAR  PAT)) 

37  (GOAL  IIGOALCLASS  (JGOALl) 

33  LAMBDA  SUBSTCONST  (VARSUBST  (MATCH  (VARSUBST  (MATCH 

(CAR  PAT)  (CAR  ARG) )  (CDR  PAT))  (CDR  ARG))  (VARSUBST  (MATCH  (CAR  PAT) 
(CAR  ARG))  (CAR  PAT))) 

30  (GOAL  COEDUCE  (COHSTEXP  3Y) ) 

40  LAMBDA  RELCHECk'  (COMSTEXP  (VARSUBST  (MATCH  (CAR 
PAT)  .  (CAR  ARG) )  (CAR  PAT))) 

41  SUBSTCDMPOSE  =  (VARSUBST  (MATCH  (VARSUBST  (MATCH 
(CAR  PAT)  (CAR  ARG))  (COR  F^AT))  (CDR  ARG)  )•  (VARSUBST  (MATCH  (CAR  PAT) 
(PAR  ARC))  (CAR  PAT))) 

42  SDRSTOP  =  (VARSUBST  (MATCH  (VARSUBST  (MATCH  (CAR  PAT) 

(CAR  ARC,))  (COP  PAT))  (CDR  ARG) )  (VARSUBST  (MATCH  (CAR  PAT)  (CAR  ARG) ) 
(CAR  PAT)) ) 

43  (RETURN  IISIMPGOAL) 

44  SiriPONE  =  (VARSUBST  (MATCH  (VARSUBST  (MATCH  (CAR  PAT) 

(CAR  ARG))  (CDR  PAT))  (COR  ARG))  (VARSUBST  (MATCH  (CAR  PAT)  (CAR  ARG)) 
(CAR  PAT))) 


The  system  has  succeeded  in  simplifying  the  left  half  of  the  goal  into 


varsubst(ra2,  varsubst(ml,  car(pat))) 


It  now  tries  to  prove  this  new  expression  equal  to  car(arg) : 


45  (GOAL  (lEGRULES  (EQ  !fX  !IY) } 

4H  LAMBDA  RELCHECk  (EQ  (CAR  ARG)  (VARSUBST  (MATCH  (VARSUBST 

(MATCH  (CAR  f-'AT)  (CAR  ARG) )  (CDR  PAT))  (CDR  ARG))  (VARSUBST  (MATCH 

(CAR  PAT)  (CAR  ARG))  (CAR  PAT)))) 

47  LAMBDA  E0SU8ST  (EQ  (CAR  ARG)  (VARSUBST  (MATCH  (VARSUBST 

(MATCH  (CAR  PAT)  (CAR  ARG))  (COB  PAT))  (CDR  ARG))  (VARSUBST  (MATCH 

(CAR  PAT)  (CAR  ARG))  (CAR  PAT)))) 

4X  (GrjA(_  SEORIIBSTRULES  8Y) 

43  LAMBDA  SUBSTCQf'IS  (EO  (CAR  ARG)  (VARSUBST  (MATCH  (VARSUBST 

(MATCH  (CAR  PAT)  (CAR  ARG))  (COR  PAT))  (CDR  ARG) )  (VARSUBST  (MATCH 

(CAR  PAO  (CAR  ARG))  (CAR  PAT)))) 

50  (GOAL  itDEGUCE  (NOT  (ATOM  3X1)) 
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!•:,]  LAilRDA  KELUIECK  (NDl  (ATCiU  iVARSUHST  (flATCH  (CAR 

PAD  (CAR  ARC-))  (CAR  PAD))) 

C.2  LAilCDA  MOTAIOfI  (NOT  (ATClfl  (VARSUDST  (NATCH  (CAR  PAT) 

(CAR  ARC))  (CAR  PAT}))) 

PD  (EXISTG  (MOT  (VAR  )tX))) 

CA  LAMBDA  EDO  IMP  (EO  (CAR  ARC)  (VAf(S(JBST  (MATCH  (VARSUBST 

(MATT:H  (CAR  pad  (CAR  ARC))  (CDR  PAT)  )  (COR  ARC))  (VARSUBST  (NATCH 
(CAR  PAD  (CAR  ARC))  (CAR  PAT)))) 

CD  LAMBDA  SIMPnriE  (VARSUBST  (MATCH  (VARSUBST  (MATCH  (CAR 

PAD  (CAR  ARC))  (CUR  PAT)  )  (CDR  ARC) )  (VAF(Sll(iST  (MATCH  (CAR  PAT)  (CAR 
ARC))  (CAR  PAT))) 

(VARSUriST  (MATCH  (VARSUBST  (MATCH  (CAR  PAT)  (CAR  ARC))  (CDR  PAT)) 

(CDR  ARC))  (VARSUBST  (MATCH  (CAR  PAT)  (CAR  ARC))  (CAR  PAT))) 
cinPLIFY? 


Tlie  system  asks  permission  to  simplify 


varsubst{ral,  varsubst(m2,  car(pat))) 


further.  Permission  is  granted; 


:  Y 

CC  (GDAL  STOPRULES  SCOALl) 

C7  LAMBDA  HASSIMP  (VARC-UBST  (MATCH  (VARSUBST  (MATCH 

(CAR  PAT)  (CAR  ARC))  (CDR  FAT))  (CDR  ARC))  (VARSUBST  (MATCH  (CAR  PAT) 
(CAR  ARC))  (CAR  PAT))) 

BC;  (FAIL) 

Srj  LAMBDA  SUBSlOP  (VARSUBST  (MATCH  (VARSUBST  (MATCH 

(CAR  PAT)  (CAR  ARC))  (CDR  PAT))  (CDR  ARC))  (VARSUBST  (MATCH  (CAR  PAT) 
(CAR  ARC)  )  (CAR  P'AT)  )  ) 

(COAL  ilSUBSTRLILES  1!Y) 

Gi  LAMBDA  SUBSTCDNST  (VARSUBST  (MATCH  (VARSUBST  (MATCH 

(CAR  PAT)  (CAR  ARC))  (CDR  PAT))  (COR  ARC))  (VARSUBST  (MATCH  (CAR  PAT) 

(CAR  ARC))  (CAR  PAT))) 

C2  (GDAL  UDEDUCE  (CDNSTEXP  DY)) 

G3  LAMBDA  RELCHECfC  (CDNSTEXP  (VARSUBST  (MATCH  (CAR 

PAT)  (CAR  ARC) I  (CAR  PAT)})  ■ 

CA  LAMBDA  EQNUMB  (VARSUBST  (MATCH  (VARSUBST  (MATCH  (CAR 

PAT)  (CAR  AFiO)  (CDfiPAT))  (CDR  ARGD  (VARSUBST  (MATCH  (CAR  PAT)  (CAR 

ARC))  (CAR  PAT))) 

G;5  (FAIL) 

DC  (GOAL  IIDOUNRULES  IIGOALD 

F7  LAflBOA  ARCS  IMP  (VARSUBST  (MATCH  (VARSUBST  (MATCH 

(CAR  PAT)  (CAR  ARC))  (CDR  PAT))  (CDR  ARC) )  (VARSUBST  (MATCH  (CAR  PAT) 

(CAR  ARC))  (CAR  PAT))) 

RS  LAMBDA  SIMPDNE  (TUPLE  (MATCH  (VARSUBST  (MATCH  (CAR 

PAT)  (CAR  ARC))  (CDR  PAT))  (COR  ARC))  (VARSUBST  (MATCH  (CAR  PAT)  (CAR 

ARC))  (CAR  PAT))) 

(TUPLE  (MATCH  (VARSUBST  (MATCH  (CAR  PAT)  (CAR  ARC) )  (CDR  PAT) )  (CDR 
ARC))  (VARSUBST  (MATCH  (CAR  PAT)  (CAR  ARC) )  (CAR  PAT))) 

SIMPLIFY? 

:  Y 


GB  (GOAL  UTOPRULES  SGDALl) 

70  LAMBDA  HASSIMP  (TUPLE  (MATCH  (VARSUBST  (MATCH 

(CAR  PAT)  (CAR  ARC))  (COR  PAT) )  (CDR  ARC) )  (VARSUBST  (MATCH  (CAR  PAT) 
(CAR  ARC))  (CAR  PAT))) 
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71  (FAIL) 

72  LAUBDA  EQNUMB  (TUPLE  (HATCH  (VAR5UBST  (HATCH 

(CAR  PAT)  (CAR  ARC))  (COR  PAT))  (COR  ARC))  (VARSUBST  (HATCH  (CAR  PAT) 
(CAR  ARG)]  (CAR  PAT))) 

73  (FAIL) 

74  (GOAL.  SD0UNRULE3  DGOALl) 

75  LAMBDA  TUPS  I  (TP  (TUPLE  (HATCH  (VARSUBST  (HATCH 
(CAR  PAT)  (CAR  ARG))  (COR  PAT))  (CDR  ARG))  (VARSUBST  (HATCH  (CAR  PAT) 
(CAR  ARG))  (CAR  PAT))) 

7G  LAMBDA  SIHPDNE  (HATCH  (VARSUBST  (MATCH  (CAR 

PAT)  (CAR  ARG))  (CDR  PAT) )  (CDR  ARG) ) 

(MATCH  (VARSUBST  (HATCH  (CAR  PAT)  (CAR  ARG))  (COR  PAT)  )  (COR  ARG) ) 
SIMPLIFY? 


77  (FAIL) 

73  LAMBDA  TUPS  I  HP  (TUPLE  (MATCH  (VARSUBST  (HATCH 

(CAR  PAT)  (CAR  ARG))  (COR  PAT))  (COR  ARG))  (VARSUBST  (HATCH  (CAR  PAT) 
(CAR  ARC))  (CAR  PAT))) 

73  LAHBOA  SIHPDNE  (VARSUBST  (HATCH  (CAR  PAT)  (CAR 

ARG))  (CAR  PAT)) 

(VARSUBST  (HATCH  (CAR  PAT)  (CAR  ARG))  (CAR  PAT)) 

SIMPLIFY? 


The  system  wants  to  simplify  varsubst (ml,  car(pat)),  a  subexpression  of 
our  goal.  We  give  our  blessings: 


:  Y 

50 

51 

(CAR 

O*- 

CO 

UO 

(CAR 

34 

35 
PAT) 

Tur. 

37 

SD 

SO 

(CAR 

31 

32 

33 

34 


(GOAL  5TOPRULES  ttGOALl) 

LAHBOA  HASS  IMP  :  (VARSUBST  (HATCH  (CAR  PAT) 

ARC))  (CAR  PAT)) 

(FAIL) 

LAMBDA  SUBSTOP  (VARSUBST  (MATCH  (CAR  PAT) 

ARC))  (CAR  PAT)) 

(GOAL  SSUeSTRLILES  1!Y) 

LAMBDA  SUBSTCONST  (VARSUBST  (MATCH  (CAR 

(CAR  ARG) )  (CAR  PAT) ) 

(GOAL  ItOEDUCE  (CONSTEXP  8Y) ) 

LAMBDA  RELCHECK  (CONSTEXP  (CAR  PAT)) 
LAMBDA  COMSTCAR  (CONSTEXP  (CAR  PAT)) 
(EXISTS  (CONSTEXP  »X) ) 

LAHBOA  EOMUMB  (VARSUBST  (MATCH  (CAR  PAT) 

ARC))  (CAR  PAT)) 

(RETURN  8BEST) 

EQNLIMB  =  (CAR  ARG) 

(RETURN  ItSIHPGOAL) 

SIHPONE  =  (CAR  ARG) 


The  subexpression  varsubst(ml,  car(pat))  is  known  to  be  equal  to  car(arg) 
by  hypothesis  (1).  The  rule  EQNUlWB  has  found  this  simplification.  Work 
continues  on  simplifying  the  entire  left-hand  side. 
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'.LG 

PA  L) 

'll' 

(GAH 

AITG )  ) 

.* 

nv 

u.:ar 

'US 

PAT) 

(GAR 

:t'j 

(GAR 

PAT) 

(CAR 

100 

10) 

J  02 
(GAR 

ARG)  ) 

(CDR 

1 0.?: 

PAT) 

(CAR 

ARG)  ) 

TUrSIfiP  =  (TUPLE  (tlAiril  (VARSUBST  (HATCH  (CAR 
(CCiRPAIM  11. UR  ARC))  (CAR  ARG)  ) 

(GOAL  I’.GCialCLAUS  JtGOALil 
LAUROA  HARSHIP  ((UF'L.L  iMAlCH  (VAR5UBST  (HATCH 
■;G1)  (UlIHPAT))  (CDRARG))  (CAR  ARG)  I 
(FAIL) 

LAHBPA  FONUHB  (TljPLf  (HATCH  (VARSUBST  (HATCH 
TG))  (CDR  PAT))  (CDRARG))  (CAR  ARG) ) 

(FAIL) 

(RETURN  CSIHPGOAI.) 

SIHPOME  =  (TUPLE  (HATCH  (VARSUBST  (HATCH  (CAR  PAT) 
"AT))  (CDRARG))  (CAR  ARG)) 

ARGSIHP  =  (VARSUBST  (HATCH  (VARSUBST  (HATCH  (CAR 


The  expression  being  simplified  is  now  varsubst(m2,  car(arg)): 


J04 

les 

(CAR  PAT) 

JOG 

1(D7 

(CAR  PAT) 
I  OU 
1(31) 

(GAR  PAT) 
]  J  0 
J  il 
]  i  ;■ 
li": 

llA 

US 

IIG 
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(GDAl,  JTGOALCLASS  CGDALl) 

LAHBDA  HASSIHP  (VARSUBST  (HATCH  (VARSUBST  (HATCH 
(CAR  ARG))  (CDR  PAT))  (CDRARG))  (CAR  ARG) ) 

(FAIL) 

LAHBDA  SUBSTGP  (VARSUBST  (HATCH  (VARSUBST  (HATCH 
(CAR  ARG))  (CDR  PAT))  (CDR  ARG))  (CAR  ARG)) 

(GOAL  3SUBSTRULES  UY) 

LAHBDA  SUBSTCOHST  (VARSUBST  (HATCH  (VARSUBST  (HATCH 
(CAR  ARG))  (CDR  PAT))  (COR  ARG))  (CAR  ARC)) 

(GOAL  SDEUUCE  (COMSTEKP  CY) ) 

LAHBDA  RELCHECK  (COMSTEXP  (CAR  ARG)) 

LAHBDA  GOHSTrTAR  (CDMSTFKP  (CAR  ARG)) 

(EXISTS  (CONK! EXP  IIX)  ) 

CDHSTCAR  =  (COMSTEXP  ARG) 

SUBSTCONST  =  (CAR  ARG) 

SL!BSTOP  -  (CAR  ARG) 

(RETURN  flSlHPGOAL) 

SlflPOME  =  (CAR  ARG) 


Since  arg  consists  entirely  of  constants,  so  does  car(arg) .  There¬ 
fore,  substitutions  have  no  effect  on  car(arg),  and  the  left-hand  side 
of  our  subgoal  reduces  to  car(arg)  itself,  which  is  precisely  the  same 
as  the  right-hand  side. 


(GOAL  PEQRULES  (EQ  8X  }*Y)) 
LAHBDA  RELCHECK  (EQ  (CAR  ARG)) 
RELCHECK  =  TRLIE 
EQG I  HP  =  TRUE 
EDS  I  HP  =  TRUE 


We  have  yet  to  prove  the  second  subgoal: 
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varsubst  (compose(in2,  ml),  cdr(pat))  =  cdr(arg) 
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(GOAL  (=  (!!REnnvE  (TUPLE  EQSUGST  FROM  8EDRLILES) )  )  (EQ  (VARSUBST 
«S1  (COn  V,K))  (CDR  flY))) 

125  LAHPDA  RELCHECI^  (EQ  (CDR  ARC)  (VARSUBST  (CDHPOSE  (NATCH 

(VARSUBST  (NATCH  (CAR  PAT)  (CAR  ARC) )  (CDR  PAT))  (CDR  ARC) )  (NATCH 
(CAR  FAT)  (CAR  ARC)))  (CDR  PAT))) 

125  LANBDA  EQSiNP  (EQ  (CDR  ARC)  (VARSUBST  (CDNPOSE  (NATCH  ( 

VARSUBST  (NATCH  (CAR  PAT)  (CAR  ARC))  (CDR  PAT))  (CDR  ARC) )  (NATCH 
(CAR  PAT)  (CAR  ARC)))  (CDR  PAT))) 

127  LANBDA  SiNPONE  (VARSUBST  (CDNPOSE  (NATCH  (VARSUBST  (NATCH 
(CAR  PAT)  (CAR  ARC))  (CDR  PAT) )  (CDR  ARC) )  (NATCH  (CAR  PAT)  (CAR  ARC) ) ) 
(CDR  F^AT)) 

IVARSUISST  (CDNPOSE  (NATCH  (VARSUBST  (NATCH  (CAR  PAT)  (CAR  ARC))  (CDR 
PAT))  (CDR  ARC))  (NATCH  (CAR  PAT)  (CAR  ARC) ) )  (CDR  PAT)) 

SINPLIFY? 

:  Y 

128  (GOAL  (ITOPRULCS  'JGDALD 

12D  LANPDA  HASSINP  (VARSUBST  (CDNPOSE  (NATCH  (VARSUBST 

(HATCH  (CAR  PAT)  (CAR  ARG) )  (CDR  PAT))  (CDR  ARG))  (NATCH  (CAR  PAT) 

(CAR  ARG)))  (CDR  PAT)) 

13(1  (FAIL) 

131  LAMBDA  SUBSTOP  (VARSUBST  (CDNPDSE  (NATCH  (VARSUBST 

(NATCH  (CAR  PAT)  (CAR  ARG))  (CDR  FAT))  (CDR  ARC))  (NATCH  (CAR  PAT) 

(CAR  ARC)))  (CDR  PAT)) 

132  (GDAL  SSUDSTRULES  8Y) 

J23  LANBDA  SUBSTCDNPDSE  (VARSUBST  (CDNPOSE  (NATCH  (VARSUBST 

(HATCH  (CAR  PAT)  (CAR  ARG) )  (CDR  PAT] )  (CDR  ARG) )  (NATCH  (CAR  PAT) 

(CAR  ARG) ) )  (CDR  PAT) ) 

i::/i  (GOAL  IIGOALCLASS  nCOALl) 

13S  LAHBDA  SUDSTCOMST  (VARSUBST  (NATCH  (VARSUBST  (NATCH 

(CAR  PAT)  (CAR  ARG))  (CDR  PAT))  (CDR  ARG))  (VARSUBST  (NATCH  (CAR  PAT) 
(CAR  ARG) )  (CDR  PAT) ) ) 

]3r,  (GDAL  SDEDUCE  (CGNSTEXP  BY)) 

137  LANBDA  RELCHECK  (CONSTEXP  (VARSUBST  (NATCH  (CAR 

PAT)  (CAR  ARG) )  (CDR  PAT) ) ) 

J3«  SUBSTCOriPOSE  =  (VARSUBST  (NATCH  (VARSUBST  (NATCH 

(CAR  PAT)  (CAR  ARC))  (CDR  PAT))  (CDR  ARG))  (VARSUBST  (NATCH  (CAR  PAT) 
(CAR  ARG))  (CDR  PAT))) 

130  SUBSTOP  =  (VARSUBST  (NATCH  (VARSUBST  (NATCH  (CAR  PAT) 

(CAR  ARG))  (CDR  PAT))  (CDR  ARG))  (VARSUBST  (NATCH  (CAR  PAT)  (CAR  ARG)) 
(COR  PAT)  )  ) 

lAH  (RETURN  flSINPGOAL) 

lAl  SINPONE  =  (VARSUBST  (NATCH  (VARSUBST  (NATCH  (CAR  PAT) 

(CAR  ARG))  (CDR  PAT))  (COR  ARG))  (VARSUBST  (NATCH  (CAR  PAT)  (CAR  ARG)) 
(CDR  PAT))) 


The  subgoal  has  been  simplified  to 


varsubst(m2,  varsubst(ml,  cdr(pat)))  =  cdr(arg) 


However,  this  Is  precisely  our  hypothesis  (3) . 


142  (GOAL  iFEQRULES  (EQ  8X  8Y) ) 

143  EOSINP  =  (EQ  (VARSUBST  (NATCH  (VARSUBST  (NATCH  (CAR  PAT) 
(CAR  ARG))  (CDR  PAT))  (CDR  ARG))  (VARSUBST  (NATCH  (CAR  PAT)  (CAR  ARG)) 
((•[IR  PAT)  )  )  (CDR  ARG) ) 
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1„.,  ••  <t.O  (VARSULfST  iflAKH  (VARSOUSl  (TIATCH  (CAR  F'AT) 

(CAF-:  Anr.O  ■'  irrifM'AlM  (CDnARG))  (VAf^SUC.Rl  (nATCH  (CAR  FAT)  (CAR  ARC)  ) 

II  nr(  f'A  r ) ;  I  a  DR  ai  i'-f  f 

lAR  KDMii .  (t;a  IVARGRBST  (flATCH  IVARvi.!D3T  (riATCH  (CAR  PAT)  (CAR 
Ar.'r-t)  ilDR  RAT)  F  (CDR  ARG) )  (VAR5UD5T  UIATlII  (CAR  PAT]  (CAR  ARG) ) 
li.flfi  f'AI )  I  I  (Clip  ARG)  ) 

JAR  (A'riGi.RI  (iil-  F) 

J47  (RCTiif.Tj  inp  ::>,i) 

RRimrsUi  TRH  =-  (EQ  (VARSUePr  (CDriPOSP  (FiATCH  (VARSUBST  (NATCH 
(CAR  F'AI)  (CAR  ARG))  (CDR  PAT)  )  (CDR  ARG)  )  (NATCH  (CAR  PAT)  (CAR  ARG))) 
RAT)  ARG) 

1  A' I 

(CQ  (VAFTGUDST  (CONPOGE  (NATCH  (VARSUBST  (NATCH  (CAR  PAT)  (CAR  ARG)) 
(CDR  RAT)'  (CDR  ARG) I  (NATCH  (CAR  PAT)  (CAR  ARG)))  PAT)  ARG) 


The  proof  is  complete. 


4.  FIND 

Only  a  selection  from  the  trace  for  the  interesting  verification 
condition  of  FIND  is  presented  here  because  of  the  length  of  the  entire 
trace.  We  will  focus  on  the  use  of  the  case  analysis  during  the  proof. 

The  antecedent  hypotheses  for  this  condition  are 

1  <  M  <  F  <  NN 
M  <  I 
J  <  N 

(STRIP  (BAGA  A  I  M-1))  ^  (STRIP  (BAGA  A  M  NN) ) 

(STRIP  (BAGA  AIN))  ^  (STRIP  (BAGA  A  N+1  NN) ) 

(STRIP  (BAGA  A  1  I-l))  ^  R 

R  <  (STRIP  (BAGA  A  1+J  NN) ) 

A[J1  s  R 
R  <  A[I] 

I  £  J 
J-1  <  I+l 
F  ^  J-1  . 

The  theorem  to  be  proved  is 
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(STRIP  (BAGA  (EXCHANGE  A  I  J)  1  J-1)) 

£  (STRIP  (BAGA  (EXCHANGE  A  I  J)  (J-L)+l  NN) 

This  goal  is  simplified  to 

(IF  J-1  <  I  THEN  (STRIP  (BAGA  A  1  J-1)) 

ELSE  (STRIP  (BAG  (STRIP  (BAGA  A  1  I-l)) 

A[J] 

(STRIP  (BAGA  A  I+l  J-1))))) 

S  (IF  J  S  I  THEN  (BAGA  A  J  NN) 

ELSE  (STRIP  (BAG  A[ I ] 

(STRIP  (BAGA  A  J+1  NN) ) 
(STRIP  (BAGA  A  J  J-1))))) 


1  dXiAl,  '.UNECJilALITIES  (Lin  (IFTHEMELSE  (LT  (SUBTRACT  J  1)  1}  (STRIP 
(BAUA  A  1  (SUBTRACT  J  1)))  (STRIP  (GAG  (STRIP  (BAGA  A  1  (SUBTRACT 
I  J))l  (ACCESS  A  J1  (STRIP  (BAGA  A  (PLUS  1  I)  (SUBTRACT  J  1)))))) 

( ir-lHKIll  L.SE  (LTa  J  1)  (STRIP  (BAGA  A  J  NN)  )  (STRIP  (BAG  (ACCESS  A 

I)  (STRIP  (BAGA  A  (PLUS  1  J)  NN))  (STRIP  (GAGA  A  J  (SUBTRACT  J  1)  ))))))) 

LArieUA  RELl.HECK  (LTR  (IFTHEMF.LSF  (LT  (SUBTRACT  J  1)  1)  (STRIP 
(BAGA  A  1  (SUBTRACT  J  1)))  (STRIP  (GAG  (STRIP  (BAGA  A  1  (SUBTRACT 
1  1)))  (ACCESS  A  J)  (STRIP  (BAGA  A  (PLUS  i  I)  (SUBTRACT  J  1)))))) 

(IFINFMI.LSF  (LTG  J  I)  (STRIP  (BAGA  A  J  NM) )  (STRIP  (BAG  (ACCESS  A 
1)  (STRIP  (DAGA  A  (PLUS  1  J)  NN))  (STRIP  (BAGA  A  J  (SUBTRACT  J  !))))))) 

3  LAMBDA  i NEQ I FTI lENELSE  (LTG  (IFTHENELSE  (LT  (SUBTRACT  J  1)  I) 

(STRIi’  (BA(,A  A  1  (SUBTRACT  J  1)))  (STRIP  (BAG  (STRIP  (BAGA  A  1  (SUBTRACT 
I  1)))  (ACCESS  A  J)  (STRIP  (DAGA  A  (PLUS  1  1)  (SUBTRACT  J  1)))))) 

( IFTMEMl  LSF  (LTG  J  I)  (STRIP  IBAGA  A  .J  MM))  (STRIP  (BAG  (ACCESS  A 

I)  (Srr.iP  (BAGA  A  (PLUS  1  J)  NN))  (STRIP  (BAGA  A  J  (SUBTRACT  J  1))))))) 

A  (ASSERT  i>X  URT  IIVERICON) 


Since  the  left  side  of  the  goal  has  an  IF-THEN-ELSE  form,  it  causes 
the  rule  INEQIFTHENELSE  to  be  applied.  This  rule  sets  VERICON  to  be  a 
new  lower  context  and  asserts 

J-1  <  I 

with  respect  to  the  new  VERICON.  This  question  triggers  off  a  demon; 

B  (ASSERT  (LTfJ  (PLUS  1  «X)  3Y)  URT  SVERK.IJN) 
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The  new  assertion  is 


(J-l)+l  £  I 

The  new  assertion  trigg^ers  off  another  demon,  which  makes  still  another 
assertion  with  respect  to  VERICON: 

c  (Licj  !;u  uyi  urt  s'/ERicofi) 

This  new  assertion  is 

J  S  I 

(Later  in  the  proof,  another  context  will  be  established;  J-1  <  I  will  be 
denied  with  respect  to  the  new  context,) 

The  THEN  clause  of  the  IF-THEN-ELSE  expression  must  now  be  proved 
less  than  or  equal  to  the  right  side  of  the  goal: 

7  ir..nAl.  IH  i  T  1  e:s  (5F  (TUPLE  ItfiNl  1>Y  lUJl-i:)  )  URT  SVERiCON) 

This  goal  is  attempted  with  respect  to  the  new  context  VERICON.  In  other 
words,  we  are  trying  to  prove 

(STRIP  (BAGA  A  1  J-1)) 

£  (IF  J  £  I  THEN  (STRIP  (BAGA  A  J  NN) ) 

ELSE  (STRIP  (BAG  A[l] 

(STRIP  (BAGA  A  J+1  NN) ) 

(STRIP  (BAGA  A  J  J-1))))) 

with  respect  to  the  context  in  which  J  £  I  has  been  asserted: 

LAdUDA  RELLHECK  (LTD  (STRIP  (BAGA  A  i  (SUBTRACT  J  1)))  ( 

I PTI  ItTIfi '.r  (LTO  J  i)  (STRIP  (BAGA  A  J  MM))  (STRIP  (BAG  (ACCESS  A  I) 

(A]RIP  (P.AC.A  A  (PLUS  I  .1)  NN))  ISTFMP  (BAGA  A  J  (SUBTRACT  J  1))))))) 
n  LAIIUDA  IflEaiFTHEIlELSE  (LTQ  (STRIP  (BAGA  A  1  (SUBTRACT  J  i))) 

(irTiiEf:i-L''-r  (ltq  i  )i  (strip  (Baga  a  j  nn))  (strip  (bag  (access  a 

I)  ISIRIP  IBAGA  A  (PLUS  1  J)  HN) )  (STRIP  (BAGA  A  J  (SUBTRACT  J  1))))))) 

Since  the  right  side  of  the  inequality  is  still  in  IF-THEN-ELSE  form,  the 
rule  INEQIFTHENELSE  applies  again.  A  new  context  VERICON,  even  lower 
than  the  last,  is  established,  and  the  (redundant)  statement 
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J  <  I 


is  asserted  with  respect  to  the  new  context : 

]0  iAvr-L.RT  iirt  uvericom) 

A  new  goal  is  established  with  respect  to  the  new  context. 

iJ-  1  TIER  (UF  (TUPIE  flUl-li  IIY  SSUT.') )  URT  SVERICON) 

The  new  goal  is 


(STRIP  (BAGA  A  1  J-1))  ^  (STRIP  (BAGA  A  J  NN) ) 


i::  LAMLUA  RELCHECIC  (LTQ  (STRIP  (BAGA  A  1  (SUBTRACT  J  1)))  (STRIP 

(GAGA  A  J  DU))) 

JR  LAiiPDA  PROOFSiflP  (LTQ  (STRIP  (BAGA  A  1  (SUBTRACT  J  1)))  (STRIP 

(L'AGA  A  J  IIM))} 

J4  LAtiPDA  ARGSIflP  (LTQ  (STRIP  (BAGA  A  1  (SUBTRACT  J  1)))  (STRIP 

(BAI.A  A  J  MM)  )  t 

IS  LAHCDA  SinPONE  (TUPLE  (STRIP  (BAGA  A  1  (SUBTRACT  J  1))) 

(SI  RIP  (BAI.A  A  J  NN))) 


The  simplifier  is  invoked.  We  will  omit  some  steps  from  the  trace  here 
and  mention  only  that  the  rule  BAGALO(VERPLUS  played  an  Important  part  in 
the  simplification  of  the  second  element  of  the  tuple. 


D0  SINPONE  =  (TUPLE  (STRIP  (BAGA  A  1  (SUBTRACT  J  1)))  (STRIP 

(BAG  (STRIP  (BAGA  A  (PLUS  1  J)  NN)  )  (ACCESS  A  J) ) ) ) 

31  ARGSINP  =  (LTQ  (STRIP  (BAGA  A  1  (SUBTRACT  J  1)))  (STRIP 
(BAG  (STRIP  (BAGA  A  (PLUS  1  J)  NN) )  (ACCESS  A  J)))) 

32  (GOAL  DGGALCLASSl  SX) 


The  simplified  goal  is 


(STRIP  (BAGA  A  1  J-1)) 


^  (STRIP  (BAG  (STRIP  (BAGA  A  J+1  NN) ) 
A[J1))  : 


33  LANBDA  RELCHECK  (LTQ  (STRIP  (BAGA  A  1  (SUBTRACT  J  1))) 

(STRIP  (BAG  (STRIP  (BAGA  A  (PLUS  1  J)  NN) )  (ACCESS  A  J)))) 

9A  LAMBDA  INEQSTRIPBAG  (LTQ  (STRIP  (BAGA  A  1  (SUBTRACT  J  U)) 

(STRIP  (BAG  (STRIP  (BAGA  A  (PLUS  1  J)  NN) )  (ACCESS  A  J) ) ) ) 


INEQSTRIPBAG  breaks  up  the  goal  into  two  subgoals.  The  first  of  these 
goals  is 
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(STRIP  (BAGA  A  1  J-1))  <  (STRIP  (BAGA  A  J+1  NN) ) 


95  (C-DAL  fliriEQUALlTIES  (SF  (TUPLE  IMIU  »X  KSZ))) 

96  LAnUDA  RELCHECK  (LTQ  (STRIP  (BAGA  A  i  (SUBTRACT  J  1))) 
(STRIP  (BAGA  A  (PLUS  1  J)  UN)!) 


The  rule  INEQSTRIPSTRIP  is  applicable  to  this  goal: 

183  LAMBDA  INEQSTRIPSTRIP  (LTQ  (STRIP  (BAGA  A  1  (SUBTRACT 

Since  it  is  known  that 

(STRIP  (BAGA  A  1  I-l) )  ^  (STRIP  (BAGA  A  J+1  NN) )  , 

and,  in  this  context,  J  S  1,  INEQSTRIPSTRIP  succeeds: 


The  other  subgoal  to  be  proved  is 


(STRIP  (BAGA  A  1  J-1))  £  (STRIP  (BAG  A[J]))  : 

143  (GOAL  INEQUALITIES  (SF  (TUPLE  ttllU  (STRIP  (BAG  88Y)  )  85Z))) 

144  LAMBDA  RELCHECK  (LTQ  (STRIP  (BAGA  A  1  (SUBTRACT  J  1))) 
(STRIP  (BAG  (ACCESS  A  J)))) 


INEQSTRIPBAG  applies  again,  splitting  this  goal  into  two  subgoals,  one 


of  which  is  trivial . 

145  LAMBDA  INEQSTRIPBAG  (LTQ  (STRIP  (BAGA  A  1  (SUBTRACT  J 

1)))  (STRIP  (DAG  (ACCESS  A  J)))) 

14G  (GOAL  3IMEQUALITIES  (8F  (TUPLE  UU  8X  88Z))) 

The  nontrivial  goal  is 


(STRIP  (BAGA  A  1  J-1))  ^  AfJ]  : 

147  LAMBDA  RELCHECK  (LTQ  (STRIP  (BAGA  A  1  (SUBTRACT  J  ID) 

(ACCESS  A  J)) 


This  goal  invokes  the  rule  INEQSTRIPTRAN .  We  will  examine  the  oper¬ 
ation  of  this  rule  in  detail: 


15^  LAMBDA  INEQSTRIPTRAN  (LTQ  (STRIP  (BAGA  A  1  (SUBTRACT 

J  ID)  (ACCESS  A  J)  ) 

l-’5  (EXISTS  (8F  (TUPLE  (STRIP  (BAGA  8ARNAME  ‘-LDUER ■  »-UPPER )  ) 

*-(.')  )  ) 


The  rule  finds  the  hypothesis 


(STRIP  (BAGA  A  1  I-l))  <  R 
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It  tests  if  this  relation  is  appropriate: 

iOG  (GDAL  JSOEDUCE  (AND  (LTG  liLDUER  ttL)  (LTQ  iin  SUPPER) 

ILTO  Sn  SC))) 

1U7  LAflBOA  RELCHECK  (Ar^O  (LTQ  1  1)  (LTQ  (SUBTRACT  J  1) 

(SUUTRACT  I  D)  (LTQ  R  (ACCESS  A  J) ) ) 

The  system  is  testing  whether  the  array  segment  between  1  and  I-l  includes 
the  segment  between  1  and  J-1,  and  also  whether  R  s  A[J]: 


ISS 

(SUUlRAf.T  ID) 

153 

lee 

lEl 

1G2 

1G3 

ID)  (LTQ  R 
J ICA 

I  1 )  )  (LTQ  R 
1G5 
IGC 
1  D) 

1G7 

IGvS 

JG3 
1  7(J 

171 

172 

173 

174 

175 
17C. 

177 


LAfIBDA  ANQSPLIT  (AND  (LTQ  1  1)  (LTQ  (SUBTRACT  J  1) 
(LTQ  R  (ACCESS  A  J))) 

(GOAL  SGOALCLASS  SK) 

LAMBDA  RELCHECK  (LTQ  1  1) 

RELCHECIC  =  TRUE 
(GOAL  SGOALCLASS  (AND  SSY) ) 

LAMBDA  RELCHECK  (AND  (LTQ  (SUBTRACT  J  1)  (SUBTRACT 
(ACCESS  A  J) ) ) 

LAMBDA  ANDSPLIT  (AND  (LTQ  (SUBTRACT  J  1)  (SUBTRACT 
(ACCESS  A  J) I ) 

(GOAL  SGOALCLASS  SX) 

LAMBDA  RELCHECK  (LTQ  (SUBTRACT  J  1)  (SUBTRACT 


RELCHECK  =  TRUE 
(GOAL  SGOALCLASS  (AND  SSY)) 

LAMBDA  RELCHECK  (AND  (LTQ  R  (ACCESS  A 
LAMBDA  ANDSPLIT  (AND  (LTQ  R  (ACCESS  A 
(GOAL  IIGOALCLASS  UX) 

LAMBDA  RELCHECK  (LTQ  R  (ACCESS  A  J) ) 
RELCHECK  r=  TRUE 
(GOAL  ItGOALCLASS  (AND  UY)) 

ANDSPLIT  =  (ANO) 

ANDSPLIT  =  (AND) 

ANDSPLIT  =  (AND) 


J))) 

J))) 


The  tests  prove  to  be  successful,  and  INEQSTRIPTRAN  returns: 

17B  IMEQ31RIPTRAN  =  (AND) 

The  trivial  subgoal  is  achieved: 

173  (GOAL  ^INEQUALITIES  (5F  (TUPLE  ajlU  (STRIP  (BAG  SSY)) 

ttSZ)  ) ) 

LAMBDA  RELCHECK  (LTQ  (STRIP  (BAGA  A  1  (SUBTRACT  J  1))) 

(STRIP  (BAG))) 

ISJ  RELCHECK  =  TRUE 

The  call  to  INEQSTRIPBAG  from  line  145  returns  successfully: 

1S2  IMEQSTRIFBAG  =  TRUE 
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The  call  to  INEQSTRIPBAG  from  line  94  also  returns: 

153  1NEG3TR1PBAG  =  TRUE 

Thus,  the  goal  established  in  Line  11  has  been  successfully  proved: 

lo'i  PROOFS  I  rr  =  TRUE 

That  goal  was  established  by  the  rule  INEQIFTHENELSE .  This  rule  asserted 
J  <  I  with  respect  to  a  lower  context  and  set  up  the  goal  with  respect  to 
that  context.  The  rule  now  attempts  to  deny  J  g  I  with  respect  to  another 
context  and  to  establish  a  new  goal  with  respect  to  the  new  context . 

155  (DEN-.  ttX  URT  3VERICQN) 

However,  J  <  I  was  also  asserted  with  respect  to  a  higher  context  in  line 
6.  Therefore,  denying  J  5  I  contradicts  this  assertion,  causing  the 
denial  to  fail .  Since  the  situation  is  contracidtory  and  could  not  arise, 
it  is  unnecessary  to  achieve  the  goal,  and  the  call  to  INEQIFTHENELSE 
from  line  9  returns  successfully: 

15P  (REIIJRN  (SUCCESS  (TUPLE  M]TH  INEQIFTHENELSE))) 

1S7  INEOIFTIIENELSE  =  (SUCCESS  (TUPLE  UITH  INEQIFTHENELSE)) 

The  goal  established  in  line  7  has  been  achieved  .  This  goal  was  set  up 
by  an  earlier  call  to  INEQIFTHENELSE  line  3)  with  respect  to  a  context 
in  which  J-1  <  I  was  asserted  line  4)  .  It  is  now  necessary  to  set  up 
a  new  goal  with  respect  to  a  new  context;  in  this  new  context,  J-1  <  I 
is  denied : 

18o  (DENY  bX  URT  SVERICOM) 

This  denial  activates  a  demon  that  denies 

J  s  I  : 

153  LAI1BDA  TRYALL  (TUPLE  (TUPLE  PLUSENPTY  PLUSSINGLE  PLUSZERO 

FLUSPLU3  PLUSniNUS  PLUSDIFFERENCE  PLUSCOflBlNE  PLUSNUMBER)  (PLUS  1 
I  (MIMUS  1))) 

130  (GOAL  SGOALCLASSl  DGDALl) 

191  LAMBDA  FlUSMINUS  (PLUS  1  1  (MINUS  D) 

192  PLUSMINUS  =  (PLUS  I) 

133  (GOAL  ilGOALCLASSl  8G0AL1) 

194  LAMBDA  PLUSSINGLE  (PLUS  1) 

19G  PLUSSINGLE  =  I 
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IGG  (CnAL,  SDDALCLASSi  8G0AL1) 

107  fRHlUt'.N  KbOAl.  l) 

la:.  TR'iALL  =  1 

JRO  (PFNV  (Lin  SU  nRTSIDE)  URT  CVERlCOi'l) 

The  new  goal 

(STRIP  (BAG  (STRIP  (BAGA  A  1  I-l) 

A[J] 

(STRIP  (BAGA  A  I+l  J-1)))) 

^  (IF  J  S  I  THEN  (STRIP  (BAGA  A  J  NN) ) 

ELSE  (STRIP  (BAG  A[l] 

(STRIP  (BAGA  A  J+1  NN) ) 
(STRIP  (BAGA  A  J  J-1)))) 

is  established  with  respect  to  the  new  context: 


(GOAL  niMEQUALITItS  (SF  (TUPLE  Itnui  8Z  «8U2) )  URT  SVERICON) 

20J  LAflRDA  RELCHECK  (LTO  (STRIP  (BAG  (STRIP  (SAGA  A  1  (SUBTRACT 

1  1)))  (ACCESS  A  J)  (STRIP  (BAGA  A  (PLUS  1  I)  (SUBTRACT  J  1)))))  ( 
irTliniCLSE  (LTQ  J  I)  (STRIP  (BAGA  A  J  MM))  (STRIP  (BAG  (ACCESS  A  1) 
(SKUP  ((‘Al.A  A  (PLUS  1  J)  MM))  (STRIP  (BAGA  A  J  (SUBTRACT  J  1))))))) 


INEQIFTHENELSE  is  invoked  because  the  right-side  of  the  goal  is  of  the 
form  IF-THEN-ELSE . 


LAIIP.DA  IMEOIFTHENELSE  (LTO  (STRIP  (BAG  (STRIP  (BAGA  A  i  (SUBTRACT 
ri)')  (ACFESR  A  J)  (STRIP  (BAGA  A  (PLUS  1  1)  (SUBTRACT  J  1)))))  ( 
jnHFM(-l '-:F  (LTD  J  I)  (STRIP  (BAGA  A  J  NM) )  (STRIP  (BAG  (ACCESS  A  I) 
(RTRIP  ' ((iiAnA  A  (PLUS  1  J)  NN) )  (STRIP  (BAGA  A  J  (SUBTRACT  J  1))))))) 


Again  the  rule  creates  two  contexts:  In  one  context  J  <:  I  is  asserted, 
and  in  the  other  J  ^  I  is  denied.  However,  since  J  ^  I  was  denied  in  a 
higher  context  (line  199),  the  assertion  of  J  I  fails;  this  contradic¬ 
tory  case  can  safely  be  ignored,  and  attention  focuses  on  the  second  con¬ 
text  : 

2fl4  (ULN'.  SX  URT  CVERICOM) 

The  goal  is  established  using  the  ELSE  clause  of  the  previous 

goal: 
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(STRIP  (BAG  (STRIP  (BAGA  A  1  I-l)) 

A[J] 

(STRIP  (BAGA  A  I+l  J-1)))) 

£  (STRIP  (BAG  A[IJ 

(STRIP  (BAGA  A  J+1  NN) ) 

(STRIP  (BAGA  A  J  J-1)))) 

20!:.  (GOAL  SintQUALITiES  (3F  (TUPLE  (ISUl  1!Z  Uii2} )  WRT  ttVERICON) 

200  1  AdPOA  RELOHECK  (LTQ  (STRIP  (BAO  (STRIP  (BAGA  A  1  (SUBTRACT 

I  J).l)  (AriESS  A  J)  (STRIP  (BAUA  A  (PLUS  1  1)  (SUBTRACT  J  1)))))  (STRIP 

(GmG  fACCESS  A  1)  fSTRIP  (GAGA  A  (PLUS  i  J)  MN) 1  (STRIP  (BAGA  A  J 

(SOPTRACT  .j  1)))))) 

207  LAdBOA  IIIEQSTniPBAG  (LTQ  (STRIP  (BAG  (STRIP  (BAGA  A  1  (SUBTRACT 

I  1)1)  (ACCESS  A  J)  (STRIP  (BAGA  A  (PLUS  ]  1)  (SUBTRACT  J  1)))))  (STRIP 

(PAG  (Ari.PSS  A  1)  (STRIP  (BAGA  A  (PLUS  I  J)  WN)  1  (STRIP  (BAGA  A  J 

(SUOTnAi.T  .1  I)))))) 

The  proof  from  this  point  will  only  be  summarized,  since  it  is  lengthy 
but  uneventful.  The  goal  is  divided  into  nine  subgoals  by  successive 
applications  of  INEQSTRIPBAG .  Each  of  these  goals  turns  out  to  be  easily 
proved,  and  the  proof  ends  successfully. 

oo.s  INrniPTMEMELSE  =  TRUE 
bSO  INEUll-THbMFLSE  =  TRUE 
E.GC 

TRUE 
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EXAMPLE  OF  HOW  A  VERIFICATION  CONDITION  IS  GENERATED 

For  those  readers  unfamiliar  with  the  Floyd-Naur  method  of  producing 
verification  conditions,  we  give  below  an  example  of  its  application,  a 
complete  trace  of  how  the  first  condition  in  Section  III  was  produced. 

The  program  under  discussion  is  reproduced  again  in  Figure  5. 

The  path  under  consideration  begins  at  point  C,  travels  around  the 
loop  through  point  E,  and  returns  again  to  C.  We  will  try  to  prove  the 
second  conjunct  at  C. 

This  statement  is 

A[0]  £  MAX,  A[l]  5  MAX,  ...,  A[I]  £  MAX  .  (1) 

We  pass  this  assertion  backward  around  the  loop  to  point  E,  making  the 
corresponding  substitution.  The  transformed  assertion  is  then 

A[0]  <  A[I],  A[ll  £  A[I],  .  .  .,  A[I]  £  A[I]  ,  (2) 

Since  LOG  does  not  appear  explicitly  in  (2),  the  assignment  LOG  I  has 
no  effect  . 

To  reach  point  E,  the  test 

MAX  <  A[I]?  (3) 

must  have  been  true.  Passing  the  assertion  back  before  the  test  gives 
the  implication 

MAX  <  Afl]  r?  A[0]  £  A[I  ],  A[l]  ^  A[I],  .  .  A[  I  ]  £  A[  I-] 

If  this  implication  (4)  is  true  before  the  test  (3),  the  assertion  (2) 
will  be  true  after  the  test  . 
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To  travel  around  the  loop  at  all,  the  result  of  test 


N  <  I?  (5) 

must  have  been  false.  Passing  the  assertion  (4)  back  over  the  test  (5) 
gives 

(N  <  I)  A  MAX  <  A[n 

3  A[0]  ^  A[I],  A[l]  5  A[I1,  .  A[I]  5  A[I]  .  (6) 

Passing  (6)  back  over  the  assignment  statement 

I  -  I+l  (7) 


gives 

_i(N  <  I  +  l)  A  MAX  <  A[I  +  1] 

3  Ar01  5A[I+1],  A[1]  sA[I+1],  A[I+1]  £  A[I+1]  .  (8) 

This  statement  has  been  generated  in  such  a  way  that  if  it  is  true 
when  control  passes  through  point  C,  then  (1)  will  be  true  if  control 
passes  around  the  loop  through  point  E  and  returns  to  C .  If  we  consider 
this  path  as  a  straight  line  program  with  the  assertion  at  C  as  both  its 
start  assertion  and  its  halt  assertion,  then  proving  the  correctness  of 
the  second  conjunct  (1)  at  C  reduces  to  proving 

MAX  =  A[L0C]  a 

A[0]  S  max,  A[I]  s  MAX  A 

0  ^  LOG  <  I  ^  N  A 
-,(N  <  I+l)  A 
MAX  <  A[I+1 ]  3  ^ 

A[0]  <  A[I  +  1],  ...,  A[I+1]  ^  A[I+1] 

Finally,  the  antecedents  of  this  implication  are  expressed  as.  separate 
hypotheses,  and  the  consequent  is  represented  as  a  goal. 
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